A SQL injection (SQLi) attack is one of the most threatening issues for data integrity and confidentiality today, allowing attackers to access secure data where they are not authorized. In this article, we discuss SQLi and how these attacks work, with types and examples.
What Is a SQL Injection?
SQL injection or insertion is a malicious attack technique that exploits vulnerabilities of SQL-based applications. With SQLi, hackers inject arbitrary code into SQL queries, which allows them to directly add, modify, and delete records stored in a database. SQLi attacks can affect any web application or website involved with a SQL database, such as MySQL, SQL Server, Oracle, and others.
Hackers inject arbitrary code into SQL queries, which allows them to directly add, modify, and delete records stored in a database.
The first public discussions of SQLi were started in 1998 by Jeff Forristal. Forristal said in an interview on SQLi, “I can completely change the way SQL works.” In 2017, the Open Web Application Security Project (OWASP) listed injection as the most prevalent threat to vulnerable web applications.
Hackers may use SQLi attacks for unauthorized access to sensitive data, such as personal information, business data, customer data, or trade secrets. SQLi attacks make it possible to execute malicious SQL statements that can control the database server behind a web application.
Attackers can use SQL vulnerabilities to bypass application security, and they can go around authorization and authentication of a web application to retrieve data from the entire database.
How Does a SQL Injection Attack Work?
SQL (Structured Query Language) is a standardized programming language designed to manage data stored in relational databases. A SQLi attack consists of an injection or insertion of a SQL query through input data. The SQL commands are injected into a data-plane input that attacks the execution of predefined SQL commands.
A SQLi attack consists of an injection or insertion of a SQL query through input data.
To perform a SQLi attack, attackers locate a vulnerable input into a website or web application. Then, they exploit this vulnerability, using user input in the form of the SQL query. The attacker executes a particularly crafted SQL command as a cyber intrusion. The code helps acquire a response that provides a clear idea of the database’s construction, allowing complete access to the database.
The attacks performed using SQLi can be varied depending on the type of database engine, but all SQLi attacks work on dynamic SQL statements. SQLi and its variants can be tricky.
Some common variants of SQLi may include:
- User input-based SQLi
- Cookie-based SQLi
- HTTP headers-based SQLi
- Second-order SQLi
Read more on eSecurity Planet: How to Prevent SQL Injection Attacks in 2021
Examples of SQL Injection Attacks
A SQLi attack is one of the most common attack techniques, so there are many examples available. Some popular attempts using SQLi are given below.
- In 2002, Jeremiah Jacks discovered that Guess.com was open to a SQLi attack, permitting the attacker to construct a properly crafted URL to pull down every name, credit card number, and expiration date in the 200,000+ customer database.
- In 2007, the Microsoft UK website was defaced by a computer criminal using SQLi.
- In 2010, during the Swedish general election, a SQLi was attempted through hand-writing SQL commands as part of a write-in vote.
- In 2015, a SQLi attack attempted to steal customers’ details from British telecommunications company TalkTalk’s servers. The attacker exploited the vulnerability in a legacy web portal.
- In 2021, an attacker stole 70 gigabytes of data from the far-right website Gab using a SQLi attack. Gab’s own CTO Fosco Marotto introduced the vulnerability into the Gab codebase.
Read more on CIO Insight: Top Cyber Security Threats to Organizations
Types of SQL Injections
SQLi can be classified based on the methods used to access backend data and their damage potential. SQL injections are typically classified under three major categories:
- In-band SQLi (Classic)
- Inferential SQLi (Blind)
- Out-of-band SQLi
In-Band (Classic) SQLi
In-band (Classic) SQLi is one of the most common types of SQLi attacks. The attacker uses the same communication channel to launch their attacks and gather their results. In-band SQLi has two sub-variations.
- Error-based SQLi: This technique relies on error messages thrown by the database server to gather information about the database structure.
- Union-based SQLi: This technique leverages the UNION SQL operator to combine the results of SELECT statements to get a single HTTP response. The data of the response can then be leveraged by the attacker.
Inferential (Blind) SQLi
Inferential (Blind) SQLi relies on the response and behavioral patterns of the server, so execution is typically slower — but may be more harmful. An attacker can send payloads to the server and observe servers’ responses and behavior for reconstructing the database structure. Inferential SQLi has two sub-variations.
- Boolean-based SQLi: An attacker sends a SQL query to the database that forces the application to return a result. Based on the result, the information within the HTTP response will be modified or not.
- Time-based SQLi: This technique relies on sending a SQL query that forces the database to wait for a specified amount of time (in seconds) before a response. The response time will indicate whether the result of the query is TRUE or FALSE.
It is the least common of SQLi attacks. The out-of-band SQLi technique relies on the database server to make DNS or HTTP requests, delivering data to an attacker. This attack occurs when an attacker cannot use the same channel to launch the attack and gather results. Out-of-band SQLi offers an alternative to inferential time-based techniques, especially when the responses of a server are not stable.
Out-of-band SQLi offers an alternative to inferential time-based techniques, especially when the responses of a server are not stable.
Every organization needs to focus on protecting its valuable information from SQLi attacks. There are many automatic detection tools available to test for these vulnerabilities. A layered approach that includes data-centric strategies can be the optimal defense for SQLi attacks, where data focuses on protecting itself, as well as the applications and network.
Read next: SQL Performance Tuning Best Practices