SQL injection: definition, causes, protection

What is SQL injection?

Websites are exposed to a large number of security risks. One of the most widespread attacks is the injection of malicious code. Here, criminals seek to execute undesired commands, take over web applications, and falsify or steal data. Myra Security offers a web application firewall to ward off such injection attacks.

Explore the Myra Hyperscale WAF

A definition of SQL injection

SQL injection is a commonly used attack vector. SQL is a popular database programming language used to build data structures in relational databases and to edit and query datasets based on them. Due to the widespread use of SQL, programs and web applications based on it are also very attractive to attackers.

With an SQL injection (SQLi), cybercriminals specifically exploit vulnerabilities in the source code of software in order to insert their own commands or malicious code into programs via input forms, for instance. This is how hackers get their hands on valuable records. Most SQL injection attacks can be attributed to faulty scripts and programs.

The well-known “Open Web Application Security Project” (OWASP) shows just how widespread SQLi is. The current OWASP Top 10 list ranks injection attacks third among the ten most critical security risks for web applications.

Example of an SQL injection

Attackers use SQL injection to corrupt databases for users, products, and the like. Here, software developers typically use a REST API to retrieve users:

https://myapi.com/users/123

This input would likely result in a (non-cleaned) request like this:

SELECT * from users where id = 123

If the API has no input data validation/hygiene, this makes it possible to use SQLi to delete any user in the system. The input required for this looks something like this:

https://myapi.com/users/123;DELETE FROM users where id != 0

or this:

https://myapi.com/users/123;TRUNCATE users

If the attacker has knowledge of the database structure, he could gain admin rights by adding or updating entries in the database:

https://myapi.com/users/123;UPDATE users set admin = 1 where id = 456

or:

https://myapi.com/users/123;INSERT INTO user_roles (userId, role) VALUES (456, 'ADMIN')

Additional detailed case descriptions of a SQL injection attack including code examples are available on the OWASP Foundation website.

How cybercriminals use SQL injection

SQL injections are possible whenever user input or other data reaches the SQL interpreter. Attackers employ special characters to try to inject their own command in order to gain access to the underlying database from the outside. Such “meta characters” include the backslash, quotation mark, apostrophe, and semicolon.

Most vulnerabilities that enable hacking into databases via SQL injection are found in the CGI scripts used for communication between web servers and other tools. If improper masking occurs here, additional command chains can be inserted. The consequences include data leakage, data manipulation, or even full compromise of the entire server if the attacker succeeds in opening an input shell.

Detecting and fending off SQLi

By the time companies discover vulnerabilities in their solutions for SQL injection attacks, it is usually too late. If a vulnerability in the source code can’t be found beforehand, the consequences of a successful attack are usually attributable to this bug in the software. Indications of this are things like data leakage, manipulation of user accounts or data records, as well as error messages indicating corrupted files. Unusual queries on web servers are also often indicative of injection attempts.

In addition, automated scanning tools help companies detect errors in source code during the development process, closing the gaps susceptible to SQL injection attacks. Penetration tests, also known as pentests, then determine the integrity of the software.

WAF (Web Application Firewall) solutions also provide protection against SQL injection attacks. These security solutions filter traffic based on predefined rules, differentiating between legitimate user requests and potential attacks. The level of protection provided by such technologies is largely dependent on the proper configuration of filter rules. This requires a great deal of expertise and knowledge of the specific types of traffic on each web application.

Sectors affected by SQL injection

Large parts of our networked world are vulnerable to injection attacks. From online applications, smartphone apps and networked IoT devices, to networked cars on the road. Many devices that can be accessed via the internet and have a login interface for an underlying SQL database can also be commandeered if any vulnerabilities are present. This is why the solutions and tools used for injection attacks play a much more important role than any specific sectors.

The consequences of SQL injection attacks

If traffic data is manipulated as the result of an SQL injection attack, managers in e-commerce and media companies may make the wrong strategic decisions. As a result, SQL injection attacks can cause long-term damage that can knock companies off course for years.

When cybercriminals gain access to valuable data records, this also makes the companies affected susceptible to blackmail for huge amounts of ransom. Added to this are costs to remedy the damage and potential fines. Because if sensitive customer data falls into the hands of others as the result of an attack, those responsible may face stiff fines and even prison sentences. The severity of the penalties is set out in the applicable regulatory requirements for data security and data protection.

Also not to be underestimated are the severe effects of SQL injection attacks on the image of the affected companies. Many major data breaches are attributed to successful attacks of this kind. If criminals get their hands on customer data, this can shatter trust in your company for years to come.

What you need to know about SQL injection

SQL injection attacks are usually the most convenient way for cybercriminals to launch wide-ranging attacks on companies. Attackers sometimes seek to capture or manipulate valuable data records. Successful SQL injection attacks also open up opportunities for blackmail.

Protection against such attacks is provided by cleanly written source code with strict validation and hygiene of input data as well as WAF protection solutions. The latter provide companies with flexible tools that address a variety of other threats in addition to SQL injection attacks.

More information about Myra Hyperscale WAF

Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.

Go to download section