SQL Injection
What is SQL Injection (SQL)?
SQL Injection (SQL) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.
An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities.
Types of attacks conducted using SQL Injection
Although the effects of a successful SQL injection attack vary based on the targeted application and how that application processes user-supplied data, SQL injection can generally be used to perform the following types of attacks:
- Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.
- Information Disclosure: This attack allows an attacker to obtain, either directly or indirectly, sensitive information in a database.
- Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages.
- Compromised Availability of Data: This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database.
- Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system. These attacks often leverage an existing, predefined stored procedure for host operating system command execution.
How to Prevent SQL Injections (SQL) – Generic Tips
Preventing SQL Injection vulnerabilities is not easy. Specific prevention techniques depend on the subtype of SQL vulnerability, on the SQL database engine, and on the programming language. However, there are certain general strategic principles that you should follow to keep your web application safe.
STEP 1
Train and maintain awareness
To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with SQL Injections. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins.
STEP 2
Do not trust any user input
Treat all user input as untrusted. Any user input that is used in an SQL query introduces a risk of an SQL Injection. Treat input from authenticated and/or internal users the same way that you treat public input.
STEP 3
Use whitelists, not blacklists
Do not filter user input based on blacklists. A clever attacker will almost always find a way to circumvent your blacklist. If possible, verify and filter user input using strict whitelists only.
STEP 4
Adopt the latest technologies
Older web development technologies do not have SQL protection. Use the latest version of the development environment and language and the latest technologies associated with that environment/language.
STEP 5
Employ verified mechanisms
Do not try to build SQL protection from scratch. Most modern development technologies can offer you mechanisms to protect against SQL. Use such mechanisms instead of trying to reinvent the wheel. For example, use parameterized queries or stored procedures.
STEP 6
Scan regularly
SQL Injections may be introduced by your developers or through external libraries/modules/software. You should regularly scan your web applications using a web vulnerability scanner.