Structured Query Language Injection is a way of code modification technique which is used to change the data from SQL databases. By using this command, any unauthorized user can use to identify a more privileged user. In modern technique, SQL injection occurs over the internet by sending queries to an API endpoint. Some query field is normally populated from the data.
According to Halfond, “SQL injection vulnerabilities have been described as one of the most serious threats for web applications. Web applications that are vulnerable to SQL injection may allow an attacker to gain complete access to their underlying databases. Because these databases often contain sensitive consumer or user information, the resulting security violations can include identity theft, loss of confidential information, and fraud”.
Types of SQL injections
In-band SQLi
In-band SQLi’s is one of the most common of SQLi attacks amongst all the SQL injection attacks. There are also two very different method s for this type of injection:
- Error-based SQLi – This type of attack causes the database to produce error messages on purpose. The attacker then can extract additional data via these error messages and learn what the structure of the database looks like.
- Union-based SQLi – UNION SQL operator is a method typically being used to combine data from two different tables. The results returned may potentially be used by the attacker throughout the process.
Inferential (blind) SQLi
The attacker cannot see the information throughout the process because the data is not being transferred to the attacker. There are a couple of Blind SQL injections:
- Boolean – This type of method relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a true or false result. This then gives the attacker a good idea of whether the request sent generated true or false despite no data from the database was returned.
- Time-based – The attacker sends an SQL query to the database and forces it to delay for a specific amount of time before responding. The response time will give the attacker an idea of whether the result of the query is true or false.
Out-of-band SQLi
This type of injection attack is primarily used as an alternative to the in-band and inferential SQLi methods since specific features need to be enabled for this to work.
This technique relies on the database’s ability to make DNS or HTTP requests so that the data can be transferred to a server that the attacker owns.
How to prevent SQL injections
There are numbers of methods to prevent SQL Injections:
- SQL injections can be prevented by input validation and by using the parameterized queries including prepared statements. The application code should never use the user input directly.
- Avoid all the user-supplied inputs.
References
Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13-15). IEEE.