SQL Injection: Everything You Need to Know
Accepting input from users is a core requirement for many applications. But what if threat actors lurk among your users and inject malicious commands into your app? In that case, your app has suffered a SQL injection attack. Depending on how it responds, attackers may be able to use SQL injection to steal sensitive information, destroy important data, and potentially even take control of the application and the system that hosts it. Fortunately, there are steps that developers and security teams can take to protect against SQL injection. This article unpacks them by explaining everything modern organizations need to know about SQL injection.What is SQL injection?
SQL injection attack is an attack where threat actors insert malicious commands into an application using SQL, a language commonly used for interacting with databases. Normally, SQL commands enable applications to read and write data from databases for legitimate purposes. But if attackers are able to "trick" an application into running SQL commands designed to enable malicious actions – such as displaying information from a database that should not be visible to application users – they can cause harm.SQL injection methods
There are three main types of SQL injection attacks, each of which uses a different method to inject malicious input into an application:- In-band injection: Attackers inject code into an application and view results through the same interface. This is the simplest type of SQL injection.
- Out-of-band injection: The attacker injects code into the application, and then relies on special database features, like the ability to transfer data via HTTP, to obtain sensitive information.
- Blind injection: Instead of injecting code that causes the application to display sensitive data from a database, the attacker injects commands designed to evaluate how the database is structured or configured. This information can help attackers learn more about a database so that they can in turn craft code for other types of SQL injection attacks.
SQL injection example
As an example of SQL injection, imagine a Web application that asks users to log in by entering a username into a text box and a password into another text box. After a user submits this information, the application reads the values from the text boxes and stores them as the following variables:- user, for the username
- pass, for the password
What causes SQL injection?
Most SQL injection vulnerabilities result from an application's failure to validate input properly. If attackers insert malicious SQL commands into an input field and the application simply passes those commands onto a database without checking whether the input contains malicious commands or other data, the attack is likely to be successful. For example, in the scenario above where an application was vulnerable to SQL injection when attackers enter the string " or ""=" into text boxes, the application could stop the attack by checking whether the input actually resembles usernames and passwords. Normally, characters like ' would not be part of a username, so detecting unusual values in the username field would be easy. Catching the malicious string in the password field would be harder because the set of legitimate characters that could be part of passwords is larger. But if the application compared the input in the password field to a list of commands commonly used in SQL attacks, or looked for patterns that resemble SQL commands (such as strings separated by the ' character and whitespaces), it could detect the malicious code. Unfortunately, however, basic input validation isn't always enough to prevent SQL injection. Sophisticated attackers can use special techniques to bypass standard validations. For example, many SQL commands include the characters ' or " because they are typically used to identify values that may appear inside a database table. For that reason, scanning input for these characters is a common way to detect SQL injection attempts. But in certain cases (such as a command that targets a column with a numeric name), it's possible to write valid SQL statements without using the ' or " characters – which means that checking for these characters would not block all attacks.How to prevent SQL injection
Because of these complications, there is no simple way of detecting every potential SQL injection vulnerability. But the following measures are effective for stopping most attacks:- Validate application input as thoroughly as possible, being sure to consider all potential edge cases and attack scenarios.
- Where possible, restrict the maximum length of data input. This makes it harder for attackers to inject malicious commands, which are often longer than strings like usernames.
- Scan source code to detect any instances where an application accepts input without validating it.
- Test applications for SQL injection vulnerabilities by attempting to insert malicious commands into the applications in a test environment and evaluating how the applications respond.
- Limit the output displayed on the screen when an application interacts with a database.