SQL injection (SQLI) #OSWAP #database #wecommit100xshare

SQL Injection (SQLi) is one of the most well-known and dangerous vulnerabilities that can affect web applications. It occurs when an attacker is able to insert or manipulate SQL queries executed by the database server through the web application's user input fields. This can lead to unauthorized access to database data, manipulation of data, or even full compromise of the database server.

The Exploitation of SQL Injection in Web Applications?

Web servers communicate with database servers anytime they need to retrieve or store user data. SQL statements by the attacker are designed so that they can be executed while the web server is fetching content from the application server.

SQL in Web Pages

SQL injection typically occurs when you ask a user for input, such as their username/user ID, and instead of their name/ID, the user inputs an SQL statement that will be executed without the knowledge about your database.

For example,

txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users
WHERE UserId = " + txtUserId;        

The above code is constructing an SQL query by directly concatenating a user input (txtUserId) into the query string. Attackers can easily exploit this by giving an input that is always true, like x=x,1=1, etc.

If the attacker gave input as ” 105 OR 1=1 ” in the UserId field, the resulting SQL will be:

SELECT * FROM Users WHERE UserId = 105 OR 1=1;        

This resulting query will return data of all users, not just the user with UserId =”105″.

SQL Injection Example

For a better understanding of how attackers do a SQL injection attack, let’s learn how to do an SQL injection attack ourselves. In this example, we will perform a basic SQL injection attack and learn the process behind it.

Suppose we have an application based on student records. Any student can view only his or her records by entering a unique and private student ID.?

Suppose we have a field like the one below:?

Student id: The student enters the following in the input field: 12222345 or 1=1.?

Query:

SELECT * FROM STUDENT WHERE
STUDENT-ID == 12222345 or 1 = 1        

SQL Injection based on 1=1 is always true. As you can see in the above example, 1=1 will return all records for which this holds true. So basically, all the student data is compromised. Now the malicious user can also similarly use other SQL queries.?

Consider the following SQL query.

Query 1:

SELECT * FROM USER WHERE
USERNAME = “” AND PASSWORD=””         

Now the malicious attacker can use the ‘=’ operator cleverly to retrieve private and secure user information. So following query when executed retrieves protected data, not intended to be shown to users.

Query 2:

SELECT* FROM User WHERE
(Username = “” OR 1=1) AND 
(Password=”” OR 1=1).        

Since 1=1 always holds true, user data is compromised.?

SQL Injection Types

There are different types of SQL injection attacks:

1. In-band SQL Injection

It involves sending malicious SQL queries directly through the web application’s interface and allows attackers to extract sensitive information or modify the database itself.

2. Error-based SQL Injection

Attackers exploit error messages generated by the web application by analyzing error messages to gain access to confidential data or modify the database.

3. Blind SQL Injection

Attackers send malicious SQL queries and observe the application’s response. By analyzing the application’s behavior, attackers can determine the success of the query.

4. Out-of-band SQL Injection

Uses a different channel to communicate with the database. Allows attackers to exfiltrate sensitive data from the database.

5. Inference-based SQL Injection

Uses statistical inference to gain access to confidential data. Attackers create queries that return the same result regardless of input values.

Impact of SQL Injection

The hacker can retrieve all the user data present in the database such as user details, credit card information, and social security numbers, and can also gain access to protected areas like the administrator portal. It is also possible to delete user data from the tables.?

Nowadays, all online shopping applications and bank transactions use back-end database servers. So in case the hacker is able to exploit SQL injection, the entire server is compromised.?

SQL Injection Prevention

Developers can use the following prevention measures to prevent SQL injection attacks.

• User Authentication: Validating input from the user by pre-defining length, type of input, of the input field and authenticating the user.
• Restricting access privileges of users and defining how much amount of data any outsider can access from the database. Basically, users should not be granted permission to access everything in the database.
• Do not use system administrator accounts.?