Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.
02
Example of an SQL injection
Attackers use SQL injection to corrupt databases for users, students, products, and the like. Here, software developers typically use a REST API to retrieve users:
https://myapi.com/users/123
This input would likely result in a (non-cleaned) request like this:
SELECT * from users where id = 123
If the API has no input data validation/hygiene, this makes it possible to use SQLi to delete any user in the system. The input required for this looks something like this:
https://myapi.com/users/123;DELETE FROM users where id != 0
or this:
https://myapi.com/users/123;TRUNCATE users
If the attacker has knowledge of the database structure, he could gain admin rights by adding or updating entries in the database:
https://myapi.com/users/123;UPDATE users set admin = 1 where id = 456
or:
https://myapi.com/users/123;INSERT INTO user_roles (userId, role) VALUES (456, 'ADMIN')
Additional detailed case descriptions including code examples are available on the OWASP Foundation website.
06
The consequences of SQLi
If traffic data is manipulated as the result of an SQLi, managers in e-commerce and media companies may make the wrong strategic decisions. As a result, injection attacks can cause long-term damage that can knock companies off course for years.
When cybercriminals gain access to valuable data records, this also makes the companies affected susceptible to blackmail for huge amounts of ransom. Added to this are costs to remedy the damage and potential fines. Because if sensitive customer data falls into the hands of others as the result of an attack, those responsible may face stiff fines and even prison sentences. The severity of the penalties is set out in the applicable regulatory requirements for data security and data protection.
Also not to be underestimated are the severe effects of SQLi attacks on the image of the affected companies. Many major data breaches are attributed to successful attacks of this kind. If criminals get their hands on customer data, this can shatter trust in your company for years to come.
Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.