by peter

Share

SQL Injection Explained

Risk

Risk Rating: HIGH
Likelihood: 3/5
Impact: 5/5

Causes

  • Lack of Web Application firewall
  • Lack of monitoring
  • Poor coding

SQL Injection Overview

Structured Query Language, or SQL (sometimes pronounced “sequel”), is the standard programming language used to communicate with relational databases — systems that support every data-driven website and application on the internet. An attacker can take advantage of this very common system by entering a specific SQL query into the form (injecting it into the database), at which point the hacker can access the database, network and servers. As recently as November of 2019, a vulnerability was discovered in phpMyAdmin, one of the world’s most widely used MySQL database management applications, that allowed hackers who created a specific username to gain access to the targeted site’s backend, allowing them to delete server configurations and revoke administrator access to the site

What you need to know about SQL Injection

SQL injection is a type of injection attack used to manipulate or destroy databases using malicious SQL statements. SQL statements control the database of your web application and can be used to bypass security measures if user inputs are not properly sanitized.

Defending against SQL Injection attacks starts with the application code. If the code has not been written in accordance with the OWASP guidelines then it is very likely that there will be SQL Injection vulnerabilities present in addition to other vulnerabilities such as Cross Site Scripting (XSS).

Prior to application release, and then as part of an organisations general security program, there should be web application penetration testing performed as part of the annual pentesting program.

How SQL Injection attacks happens

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, recover the content of a given file present on the DBMS file system and, in some cases, issue commands to the operating system.

There are a number of automated tools in existence that are run by criminals that will search through all of the web applications currently on the internet and attempt to identity possible SQLi attack vectors. Tools such as SQLMap and SQLNinja are used by white hat hackers and security researchers such as ourselves, as well as by criminal elements.

Attack Sources

Because so much of the internet is built on relational databases, SQL injection attacks are exceedingly common. Searching the Common Vulnerabilities and Exposures database for “injection” returns 10,887 results.