SQL injection attacks are one of the oldest web application vulnerabilities –having been discussed since the late 1990s – but they still remain relevant today. This explainer outlines what they are, how they work, and how you can prevent them.
SQL injection – meaning and definition
An SQL injection, sometimes abbreviated to SQLi, is a type of vulnerability in which an attacker uses a piece of SQL (structured query language) code to manipulate a database and gain access to potentially valuable information. It's one of the most prevalent and threatening types of attack because it can potentially be used against any web application or website that uses an SQL-based database (which is most of them).
How do SQL injection attacks work?
To understand SQL injection, it’s important to know what structured query language (SQL) is. SQL is a query language used in programming to access, modify, and delete data stored in relational databases. Since the vast majority of websites and web applications rely on SQL databases, an SQL injection attack can have serious consequences for organizations.
An SQL query is a request sent to a database for some type of activity or function such as query of data or execution of SQL code to be performed. An example is when login information is submitted via a web form to allow a user access to a site. Typically, this type of web form is designed to accept only specific types of data such as a name and/or password. When that information is added, it's checked against a database, and if it matches, the user is granted entry. If not, they are denied access.
Potential problems arise because most web forms have no way of stopping additional information from being entered on the forms. Attackers can exploit this weakness and use input boxes on the form to send their own requests to the database. This could potentially allow them to carry out a range of nefarious activities, from stealing sensitive data to manipulating the information in the database for their own ends.
Because of the prevalence of web sites and servers that use databases, SQL injection vulnerabilities are one of the oldest and most widespread types of cyber assault. Several developments in the hacker community have increased the risk of this type of attack, most notably the advent of tools to detect and exploit SQL injection. Freely available from open source developers, these tools allow cybercriminals to automatically perform attacks in only a few minutes by allowing them to access any table or any column in the database with just a click and attack process.
Symptoms of SQLi
A successful SQL injection attack may show no symptoms at all. However, sometimes there are outward signs, which include:
- Receiving an excessive number of requests within a short timeframe. For example, you may see numerous emails from your webpage contact form.
- Ads redirecting to suspicious websites.
- Strange popups and message errors.
Types of SQL injection
Depending on how they gain access to back-end data and the extent of the potential damage they cause, SQL injections fall into three categories:
In-band SQLi:
This type of SQLi attack is straightforward for attackers since they use the same communication channel to launch attacks and gather results. This type of SQLi attack has two sub-variations:
- Error-based SQLi: The database produces an error message because of the attacker’s actions. The attacker gathers information about the database infrastructure based on the data generated by these error messages.
- Union-based SQLi: The attacker uses the UNION SQL operator to obtain the desired data by fusing multiple select statements in a single HTTP response.
Inferential SQLi (also known as Blind SQL injection):
This type of SQLi involves attackers using the response and behavioral patterns of the server after sending data payloads to learn more about its structure. Data doesn’t transfer from the website database to the attacker, so the attacker doesn’t see information about the attack in-band (hence the term ‘blind SQLi). Inferential SQLi can be classified into two sub-types:
- Time-based SQLi: Attackers send a SQL query to the database, making the database wait for a few seconds before it responds to the query as true or false.
- Boolean SQLi: Attackers send a SQL query to the database, letting the application respond by generating either a true or false result.
Out-of-band SQLi:
This type of SQL attack takes place under two scenarios:
- When attackers are unable to use the same channel to launch the attack as well as gather information; or,
- When a server is either too slow or unstable to carry out these actions.
Impact of SQL injection attacks
A successful SQL injection attack can have serious consequences for a business. This is because an SQL injection attack can:
- Expose sensitive data. Attackers can retrieve data, which risks exposing sensitive data stored on the SQL server.
- Compromise data integrity. Attackers can alter or delete information from your system.
- Compromise users’ privacy. Depending on the data stored on the SQL server, an attack can expose sensitive user information, such as addresses, telephone numbers, and credit card details.
- Give an attacker admin access to your system. If a database user has administrative privileges, an attacker can gain access to the system using malicious code.
- Give an attacker general access to your system. If you use weak SQL commands to check usernames and passwords, an attacker could gain access to your system without knowing a user’s credentials. From there, an attacker can wreak havoc by accessing and manipulating sensitive information.
The cost of an SQL injection attack is not just financial: it can also involve loss of customer trust and reputational damage, should personal information such as names, addresses, phone numbers, and credit card details be stolen. Once customer trust is broken, it can be very difficult to repair.
SQL injection examples
Over the years, many organizations have fallen victim to SQLi. Some high-profile examples include:
Fortnite, 2019
Fortnite is an online game with over 350 million users. In 2019, a SQL injection vulnerability was discovered which could let attackers access user accounts. The vulnerability was patched.
Cisco, 2018
An SQL injection vulnerability was found in Cisco Prime License Manager in 2018. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has since patched the vulnerability.
Tesla, 2014
In 2014, security researchers announced that they were able to breach Tesla’s website using SQL injection, gaining administrative privileges and stealing user data in the process.
FAQs about SQL injection attacks
Frequently asked questions about SQLi include:
What is an SQL injection attack?
An SQL injection attack uses malicious SQL code for backend database manipulation to access private information. This information may include sensitive company data, user lists or customer details. SQL stands for ‘structured query language’ and SQL injection is sometimes abbreviated to SQLi.
What does SQL injection do?
SQL injection attacks allow attackers to spoof identity, alter existing data, disclose data on the system, destroy data or make it otherwise unavailable, and become administrators of the database server. SQL injection attacks can cause serious damage to businesses, including loss of customer trust if confidential user data is breached.
How common are SQL injection attacks?
Because they are relatively easy to implement, and because the potential reward is great, SQL injection attacks are not uncommon. Statistics vary, but it’s estimated that SQL injection attacks comprise the majority of attacks on software applications. According to the Open Web Application Security Project, injection attacks, which include SQL injections, were the third most serious web application security risk in 2021.
How to prevent SQL injection attacks
For businesses concerned about SQL injection prevention, key principles to help defend websites and web applications include:
Staff training:
Generate awareness about SQLi-based risks within the team responsible for your web application and provide necessary role-based training to all users.
Keep user input in check:
Any user input used in an SQL query introduces risk. Address input from authenticated and/or internal users in the same way as public input until it is verified. Give accounts that connect to the SQL database only the minimum privileges needed. Use whitelists as standard practice instead of blacklists to verify and filter user input.
Use latest versions:
It’s important to use the latest version of the development environment to maximize protection, since older versions may lack current safety features. Be sure to install the latest software and security patches when available.
Continuously scan web applications:
Use comprehensive application performance management tools. Regularly scanning web applications will identify and address potential vulnerabilities before they allow serious damage.
Use a firewall:
A web application firewall (WAF) is often used to filter out SQLi, as well as other online threats. A WAF relies on a large and frequently updated list of signatures that allow it to filter out malicious SQL queries. Usually, the list holds signatures to address specific attack vectors and is regularly patched in response to newly discovered vulnerabilities.
Related products:
- Kaspersky Anti-Virus
- Kaspersky Total Security
- Kaspersky Internet Security
- Kaspersky Password Manager
- Kaspersky Secure Connection
Further reading: