Today, there are various ways of representing a database. All of them require a programming language to implement. One such language is SQL. It is used to implement relational database systems. Others are built on top of SQL like PostgreSQL and MySQL. However, implementations based on SQL are prone to an attack called SQL injection. So, let us first determine what SQL injection is.
What is SQL injection?
It refers to a code injection technique the attackers use to change, delete or retrieve data from an SQL database. They achieve this through the insertion of special SQL statements in various form fields in a web application. They can destroy the data, manipulate the behavior of the database, or retrieve data.
What is more dangerous about SQL injection attacks is, when properly executed, the unauthorized user can spoof a more privileged user’s identity, insert themselves as database admins, perform modifications to the transactions and balances, destroy and/or retrieve all the data from the server.
Besides affecting the databases, SQL injection attacks also affect API endpoints that a website or a service provider. API endpoint SQL injections are more severe. Through SQL injection, the attacker can get root access to a system. Therefore, they have complete control. So far, we have referenced the term SQL query severally in this post. Before we look at how an attacker affects SQL injection, let us understand what an SQL query is.
What is an SQL query?
These are queries that are used to give commands to a database. They perform actions like deleting, updating, and retrieval of information from a database. They use various SQL elements to perform these operations based on the parameters provided by a user.
How does an attacker affect an SQL injection?
Although there are various forms that an SQL attack can take, the core vulnerability is, in most cases, the same. Attackers pass a malicious structured query to the form input of a web application that instigates various responses as per the attacker’s specification. The response helps the attacker to understand the architecture of the database. Through the response, the attacker can craft a plan for accessing the information stored in the database. The following are the approaches that a cybercriminal can use to perform an SQL injection.
Using an SQL statement that is always true
A cybercriminal can use an SQL statement that returns true always to perform an SQL injection. Instead of giving wrong information, the attacker can send a 1=1 in the query input box that returns the details of the table.
Batched SQL injection
These are a set of SQL injections that are separated by a semicolon. However, this approach can only be successful if the SQL statements are both valid.
Using an “OR =” string
This approach of this type is like the use of a true SQL statement. In this approach, the attacker needs to enter an “OR =” in the query box. The two signs act as malicious codes for breaking into the application. For example, when an attacker wants to retrieve data that belongs to another user from a database or an application, they can simply type “OR=” in the password or user ID. Such an SQL statement is both true and valid, hence returning the user data from the user table of the database.
Various types of SQL injection
There are three levels of SQL injection. They include out-of-band SQL injections, in-bound SQL injections, and Blind SQL injections. We based the classifications on the methods that they use for accessing back-end data. Let us now look at the individual types.
Blind or inferential SQL injection
In this type of SQL injection, the cybercriminal sends data payloads to the server and sees the server’s behavior and response to understand its architecture. It is called inferential SQL injection as there is no data transfer to the attacker from the database. Therefore, the attacker does not see any information regarding the attack at hand.
It depends on the behavioral patterns and the response from the server. Hence their execution is slower but is just as harmful. We can classify them into;
- Time-based SQL injections: In this type, a query is given to a database by the attacker, making it wait before it can react. The attacker can see if it is true depending on the time it takes for the database to respond. After the waiting period, the database sends an HTTP response to the attacker based on the response.
- Boolean SQL injection: in this type of attack, the attacker queries the database prompting the application to return a result. The result varies based on the truth value of the query. The information in the HTTP response can change or remain unchanged based on the result. The attacker then tries to figure out if the message yielded a false or a true result.
Out of band SQL Injections
For this type of injection to succeed, an attacker must enable certain features within the database server that a web application uses. Attackers use this form of attack as an alternative to blind SQL injection and in-band SQL injections.
Attackers perform out of bound SQL injection when they cannot use the same channel for gathering information and launching attacks or if the server is too unstable or slow to perform the actions. They rely on the server’s capacity to create HTTP or DNS requests for data transfer to the attacker.
In-band SQL injection
In this form of SQL injection attack, attackers use the same channels the attacker uses to gather the results and launch attacks on the application. Because of its efficiency and simplicity, in-band SQL injection is one of the SQL injection attacks that is most common. We can divide it into:
- Union-based SQL injection: this method leverages the SQL UNION operator. The operator fuses multiple select statements that a database generates to get a single HTTP response with information that an attacker can leverage.
- Error-based SQL injections: The attacker conducts various actions that force the database to throw error messages. They then use the data from the error message for gathering information on the structure of the database.
SQL injections are a common occurrence nowadays. Fortifying your database against them is an integral part of ensuring the security of the more extensive system. As we shall see in our next post, there are various ways that you can use to prevent this and other forms of bot attacks. Nowadays, SQL injections are more lethal, primarily when they target API endpoints.