Nowadays, data is considered to be the most vital component of information systems and an integral part of cyberspace. The firms and companies implement web applications that use the database for getting and storing data from its website customers. SQL is one such database query language abbreviated as Structured Query Language. This language is employed for retrieving as well as manipulating data in a database. In this chapter, you will learn about how to use a type of logical bug of this language to penetrate the applications and steal data using the concept of SQL injection.
What is a SQL Injection?
SQL injection, abbreviated as SQLi, is a popular database attack technique that poisons dynamic SQL statements, which completes certain segments of the query or raises an additional condition that makes the logic true. This attack technique takes undue benefit of the design flaws in weakly constructed web applications for exploiting SQL statements to run malicious SQL code.
Working of SQL Injection
The kinds of attacks carried out by the use of SQL injection that varies based on the nature of the database engine used. The SQLi attack works on the SQL statement that is dynamic in nature. A dynamic SQL statement is the one that is generated at run time by means of the parameter password from the form of a web or URI query string.
Let us take an example of a website that will make use of a service that has a bill payment mechanism and might ask for the user's account number in a web form as well as send that to the database for pulling the connected account data. When the web application is associated with dynamic SQL query string, it might look something like:
"SELECT * FROM cust WHERE acct = '" + userGivenAcctNo +"';"
As the query mentioned above works well for users who properly feed their account details; however, it leaves the door open for SQLi. This is because, when attackers provide an account number of "' or '1' = '1", this would upshot in a backend query string something like this:
"SELECT * FROM cust WHERE acct = '' or '1' = '1';"
Since the '1' = '1' will always evaluate to a logical TRUE, this means that sending such a statement in that database will bring down the entire data for every customer from within that database.
Protect Yourself from SQL Injection Attacks
Here are some of the possible suggestions that can help you avert an SQL injection attack from happening:
- Do not use dynamic SQL: Try to avoid putting user given input straight away to the SQL statements. Making use of parameterized query and fetch user's data indirectly in your database would protect your system from SQLi.
- Do not leave sensitive credentials in plain text format: Try to keep all the data (confidential data) in an encrypted format in your database. In case attackers gain access to your backend system through SQLi, they will not be able to exfiltrate sensitive set of information.
- Filter out user-provided inputs: You can smartly code your backend to escape out or filter out those characters which need to be escaped.
- Provide restriction or limitation in database permissions as well as privileges: Access to the database should be at a bare minimum level as per requirement. Also, share the backend code to the least possible members of your technical team.
- Shun displaying any database errors openly to the user. Some attackers also use these error messages to understand your database versions and type as well as some error messages show the path of the database within the server. This will eventually bring down the morale of your web application's security.
- You can also make use of Web application Firewalls to protect your database from the SQLi attack.
- Keep your database systems and versions updated to the latest existing patches. This will eliminate the bugs, and hence, hackers will not be able to utilize those bugs to gain access to your database.