The Most Common Types of Cyberattacks #4 – SQL Injection
SQL Injection (SQLi) is the most common attack vector accounting for over 50% of all web application attacks nowadays.
It is a web security vulnerability that exploits insecure SQL code. Using that, an attacker can interfere with the queries an application makes to its database.
But it is not just "popular"; its consequences are also nasty!
A successful SQL injection attack can lead to unauthorized access to sensitive data. Such as passwords, credit card details, or personal user information.
Even worse, sometimes, an attacker can escalate an SQLi attack, and go for compromising the underlying server or back-end infrastructure. Or perhaps perform a denial-of-service attack. The first case describes a complete takeover of the system, and the second, a complete loss of availability.
What is SQL Injection?
Data is the main actor in Information Technologies (IT) systems because this precious asset needs to be stored somewhere, somehow. Database protocols, languages, and software oversee saving the heart of IT conveniently for a wide range of applications, and one of the most popular frameworks is named Structured Query Language (SQL).
SQLi generally allows an attacker to access data they are not allowed to. This might include data belonging to other users or any other that the application itself can access, but not just that. Depending on the vulnerability, an attacker can also modify or delete data—this way, causing persistent changes to the application's content or behavior.
Sometimes, an attacker can get a persistent backdoor way into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.
Many high-profile data breaches have resulted from SQL injection attacks and this reputational damage and regulatory fines were just a part of the outcome.
Just one month ago, security researchers found a vulnerable WordPress plugin (WP Statistics). Six hundred thousand websites have this popular component installed, so this new SQL injection flaw could allow the exfiltration of sensitive information.
SQL injection has officially 22 years old, and even though Information Security professionals developed plenty of guidelines and tools for detecting and avoiding this dangerous flaw, it seems to be feeling young and strong.
Symptoms of SQLi
Receiving an exaggerated amount of requests in a short time span. For example, lots of emails from your webpage contact form.
Ads redirecting to suspicious websites.
Strange popups and message errors.
Beware that a successful SQL injection attack may show no symptoms!
This would be the case of an attacker retrieving your database's sensitive data, so it could rate its requests to remain anonymous.
Types of SQLi
Having data provided by a non-trusted source and SQL queries in the same process is risky.
These attacks result from improperly sanitized user input.
SQLi attacks can be classified considering:
The SQL statements contain exploitable code.
The possibility to retrieve data in the resulting webpage contents.
UNION-SELECT SQL Injections
The flaw is present inside a SQL "SELECT" statement. It is possible to see the changes on the webpage content after performing an injection.
Usually, the payload takes the form of a "UNION SELECT..." SQL statement.
This SQLi is not frequently found nowadays. But, if present, an attacker would easily compromise the confidentiality of the web app.
Here is an example of vulnerable code:
This way, one entry of columns can be retrieved "userID, userName and userPassword" from table "articles":
Blind SQL Injections
When it is impossible to see the output or error messages.
This case is more common in practice. It is also more difficult to exploit.
Here the attacker will use small differences in the resulting webpage content, server response codes, or timing.
The target is to manipulate "WHERE" or "IF" SQL statements.
An example using timing:
#3. Injections in INSERT and UPDATE Statements
This case can be even worse than the previous ones. It may allow not only the exfiltration of sensitive information but also its modification. This way, compromising integrity. The resulting output after injection is usually displayed on the screen for these vulnerabilities.
SQLi is one of the oldest, most successful, and most prevalent attacks against web apps. You will not feel surprised to know there exist plenty of tools and frameworks to perform these attacks.
SQLMAP is the most popular tool. It is so specialized that it even includes techniques for:
Bypassing Web Application Firewalls (WAFs).
Compromise the underlying system after database exploitation.
Top SQLi Attacks Statistics
SQL injection is not going anywhere soon.
According to Akamai "State of the Internet" report 2020, SQLi accounts for almost... 80% !! of all attacks against retail, travel, and hospitality web apps between 2018 and 2020:
How can you defend against SQLi Attacks?
The root solution is at the code level:
User input needs to be sanitized, and dangerous characters escaped.
The best approach is to separate data from queries and commands. For example, a safe API could be used, which does not use the interpreter.
Blacklisting should be avoided. It is prone to errors, as it is easy to forget a harmful input command. Whitelisting is recommended.
We can make use of programming languages' built-in functions for filtering, like in PHP: "FILTER_SANITIZE_EMAIL"," FILTER_SANITIZE_NUMBER_FLOAT", etc.
As mitigation measures, rating queries (for example, using LIMIT statements). Also, consider running them only in low-privileged processes.
Yet, it is possible someone misses something, and the web app still has a sneaky way of being exploited.
Adding a good WAF is of key importance. It will filter maliciously crafted payloads and prevent automatized attacks.
How can BitNinja protect against SQLi Attacks?
BitNinja provides security in different key layers:
WAF2.0 module is a fast Nginx-based full transparent proxy in charge of filtering the attacks coming to you.
Captchamodules cover you against automation tools, checking if a bot or a human is making a request.
As we can see, the PHP function "listproducts.php" has a GET parameter "cat" where numbers are passed to display different pages.
Sqlmap works by trying several typical injection commands for different databases (MySQL, SQL, Oracle, etc.). Many parameters can be specified for the program to work better. For example:
The underlying database technology (if it is known).
Which type of injection is likely to be present.
User-agent for bypassing firewalls.
If nothing of this is given, anyway sqlmap will make its assumptions, assess, and exploit if possible.
If not run in batch mode, the injection process is guided, and options to refine the process are given:
A vulnerability was found! More than one type of injection succeeded:
And we got the databases listing:
Following, we could use sqlmap for getting tables, columns, and users. For downloading all the databases. Even for trying to get a shell in the underlying system.
BitNinja would have detected the automated attack and black-listed the malicious IP.
SQL Injection (SQLi) FAQs
How may I detect SQLi attempts by looking at my log files?
Check if present:
A larger quantity of new queries than usual.
Unique and/or unusually structured queries.
Queries whose output is not relevant to your application. Yet, they reveal information about the database structure.
How BitNinja Malware Detection Module protects you against SQLi?
BitNinja Captcha and WAF 2.0 modules are your first defense lines against an SQLi attack.
However, if the attack succeeds, the attacker may try to infect your web app with malware. Or install a backdoor. Or get to the underlying system.
Now, BitNinja Anti-Malware Module comes into play. It analyzes all files, and blocks involved malicious IPs and goes till the end to detect the infection origin.
SQL injection attacks are still of big concern nowadays. Cybersecurity is not optional anymore. It is a must! If you haven't tried BitNinja yet, don't forget to register for the 7-day free trial!No credit card is needed!
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.