What is SQL injection?

Websites are exposed to a large number of security risks. One of the most widespread attacks is the injection of malicious code. Here, criminals seek to execute undesired commands, take over web applications, and falsify or steal data. Myra Security offers a web application firewall to ward off such injection attacks.

View SQL injection

01

A definition of SQL injection

SQL injection is a commonly used attack vector. SQL is a popular database programming language used to build data structures in relational databases and to edit and query datasets based on them. Due to the widespread use of SQL, programs and web applications based on it are also very attractive to attackers.

With an SQL injection (SQLi for short), cybercriminals specifically exploit vulnerabilities in the source code of software in order to insert their own commands or malicious code into programs via input forms, for instance. This is how hackers get their hands on valuable records. Most attacks employing SQLi can be attributed to faulty scripts and programs.

The well-known “Open Web Application Security Project” (OWASP) shows just how widespread SQLi is. The OWASP Top 10 report lists injection attacks at the very top of the ten most critical security risks for web applications.

02

Example of an SQL injection

Attackers use SQL injection to corrupt databases for users, students, products, and the like. Here, software developers typically use a REST API to retrieve users:

  • https://myapi.com/users/123

This input would likely result in a (non-cleaned) request like this:

  • SELECT * from users where id = 123

If the API has no input data validation/hygiene, this makes it possible to use SQLi to delete any user in the system. The input required for this looks something like this:

  • https://myapi.com/users/123;DELETE FROM users where id != 0

or this:

  • https://myapi.com/users/123;TRUNCATE users

If the attacker has knowledge of the database structure, he could gain admin rights by adding or updating entries in the database:

  • https://myapi.com/users/123;UPDATE users set admin = 1 where id = 456

or:

  • https://myapi.com/users/123;INSERT INTO user_roles (userId, role) VALUES (456, 'ADMIN')

Additional detailed case descriptions including code examples are available on the OWASP Foundation website.

03

How cybercriminals use SQL injection

SQL injections are possible whenever user input or other data reaches the SQL interpreter. Attackers employ special characters to try to inject their own command in order to gain access to the underlying database from the outside. Such “meta characters” include the backslash, quotation mark, apostrophe, and semicolon.

Most vulnerabilities that enable hacking into databases via SQLi are found in the CGI scripts used for communication between web servers and other tools. If improper masking occurs here, additional command chains can be inserted. The consequences include data leakage, data manipulation, or even full compromise of the entire server if the attacker succeeds in opening an input shell.

Injection

04

Detecting and fending off SQLi

By the time companies discover vulnerabilities in their solutions for SQLi attacks, it is usually too late. If a vulnerability in the source code can’t be found beforehand, the consequences of a successful attack are usually attributable to this bug in the software. Indications of this are things like data leakage, manipulation of user accounts or data records, as well as error messages indicating corrupted files. Unusual queries on web servers are also often indicative of injection attempts.

In addition, automated scanning tools help companies detect errors in source code during the development process, closing the gaps susceptible to SQLi attacks. Penetration tests, also known as pentests, then determine the integrity of the software.

WAF (Web Application Firewall) solutions also provide protection against SQLi attacks. These security solutions filter traffic based on predefined rules, differentiating between legitimate user requests and potential attacks. The level of protection provided by such technologies is largely dependent on the proper configuration of filter rules. This requires a great deal of expertise and knowledge of the specific types of traffic on each web application.

Network devices

05

Sectors affected by SQL injection

Large parts of our networked world are vulnerable to injection attacks. From online applications, smartphone apps and networked IoT devices, to networked cars on the road. Many devices that can be accessed via the internet and have a login interface for an underlying SQL database can also be commandeered if any vulnerabilities are present. This is why the solutions and tools used for injection attacks play a much more important role than any specific sectors.

06

The consequences of SQLi

If traffic data is manipulated as the result of an SQLi, managers in e-commerce and media companies may make the wrong strategic decisions. As a result, injection attacks can cause long-term damage that can knock companies off course for years.

When cybercriminals gain access to valuable data records, this also makes the companies affected susceptible to blackmail for huge amounts of ransom. Added to this are costs to remedy the damage and potential fines. Because if sensitive customer data falls into the hands of others as the result of an attack, those responsible may face stiff fines and even prison sentences. The severity of the penalties is set out in the applicable regulatory requirements for data security and data protection.

Also not to be underestimated are the severe effects of SQLi attacks on the image of the affected companies. Many major data breaches are attributed to successful attacks of this kind. If criminals get their hands on customer data, this can shatter trust in your company for years to come.

Code on a screen

07

What you need to know about SQL injection

SQLi attacks are usually the most convenient way for cybercriminals to launch wide-ranging attacks on companies. Attackers sometimes seek to capture or manipulate valuable data records. Successful SQLi attacks also open up opportunities for blackmail.

SQLi attacks also open up opportunities for blackmail. Protection against such attacks is provided by cleanly written source code with strict validation and hygiene of input data as well as WAF protection solutions. The latter provide companies with flexible tools that address a variety of other threats in addition to SQLi attacks.

More information about Myra Hyperscale WAF