SQL Injection (SQLi) is the most common attack vector accounting for over 50% of all web application attacks nowadays.
It is a web security vulnerability that exploits insecure SQL code. Using that, an attacker can interfere with the queries an application makes to its database.
But it is not just “popular”; its consequences are also nasty!
A successful SQL injection attack can lead to unauthorized access to sensitive data. Such as passwords, credit card details, or personal user information.
Even worse, sometimes, an attacker can escalate an SQLi attack, and go for compromising the underlying server or back-end infrastructure. Or perhaps perform a denial-of-service attack.
The first case describes a complete takeover of the system.
The second, a complete loss of availability.
What is SQL Injection?
Data is the main actor on Information Technologies (IT) systems.
This precious asset needs to be stored somewhere, somehow.
Database protocols, languages, and software oversee saving the heart of IT conveniently for a wide range of applications.
One of the most popular frameworks is named Structured Query Language (SQL).
SQLi generally allows an attacker to access data they are not allowed to. This might include data belonging to other users or any other that the application itself can access.
But not just that.
Depending on the vulnerability, an attacker can also modify or delete data—this way, causing persistent changes to the application’s content or behavior.
Sometimes, an attacker can get a persistent backdoor way into an organization’s systems, leading to a long-term compromise that can go unnoticed for an extended period.
Many high-profile data breaches have resulted from SQL injection attacks. Reputational damage and regulatory fines were just a part of the outcome.
One of the most significant breaches was suffered by several payment systems in 2008. Attackers stole 130 million credit and debit card numbers. The victims were the big names Heartland Payment Systems and 7-eleven chain.
WordPress is a usual target.
In 2018, it was discovered an SQLi vulnerability in a WordPress plugin installed on more than 500,000 web pages.
Just one month ago, security researchers found a vulnerable WordPress plugin (WP Statistics). Six hundred thousand websites have this popular component installed. This new SQL injection flaw could allow the exfiltration of sensitive information.
SQL injection has officially 22 years old. And even though Information Security professionals developed plenty of guidelines and tools for detecting and avoiding this dangerous flaw, it seems to be feeling young and strong.
Symptoms of SQLi
- Receiving an exaggerated amount of requests in a short time span. For example, lots of emails from your webpage contact form.
- Ads redirecting to suspicious websites.
- Strange popups and message errors.
Beware that a successful SQL injection attack may show no symptoms!
This would be the case of an attacker retrieving your database’s sensitive data; it could rate its requests to remain anonymous.
Types of SQLi
Having data provided by a non-trusted source and SQL queries in the same process is risky.
These attacks result from improperly sanitized user input.
SQLi attacks can be classified considering:
- The SQL statements which contain exploitable code.
- The possibility to retrieve data in the resulting webpage contents.
UNION-SELECT SQL Injections
The flaw is present inside a SQL “SELECT” statement. It is possible to
see the changes on the webpage content after performing an injection.
Usually, the payload takes the form of a “UNION SELECT…” SQL statement.
This SQLi is not frequently found nowadays. But, if present, an attacker would easily compromise the confidentiality of the web app.
Here is an example of vulnerable code:
This way, one entry of columns can be retrieved “userID, userName and userPassword” from table “articles“:
Blind SQL Injections
When it is impossible to see the output or error messages.
This case is more common in practice. It is also more difficult to exploit.
Here the attacker will use small differences in the resulting webpage content, server response codes, or timing.
The target is to manipulate “WHERE” or “IF” SQL statements.
An example using timing:
#3. Injections in INSERT and UPDATE Statements
This case can be even worse than the previous ones. It may allow not only exfiltration of sensitive information but also its modification. This way, compromising integrity. The resulting output after injection is usually displayed on screen for these vulnerabilities.
SQLi is one of the oldest, most successful, and prevalent attacks against web apps. You will not feel surprised to know there exist plenty of tools and frameworks to perform these attacks.
SQLMAP is the most popular tool. It is so specialized that it even includes techniques for:
- Bypassing Web Application Firewalls (WAFs).
- Rate requests.
- Compromise the underlying system after database exploitation.
- And more.
Top SQLi Attacks Statistics
SQL injection is not going anywhere soon.
According to Akamai “State of the Internet” report 2020, SQLi accounts for almost… 80% !! of all attacks against retail, travel, and hospitality web apps between 2018 and 2020:
How can you defend against SQLi Attacks?
The root solution is at code level:
- User input needs to be sanitized, and dangerous characters escaped.
- The best approach is to separate data from queries and commands. For example, a safe API could be used, which does not use the interpreter.
- Blacklisting should be avoided. It is prone to errors, as it is easy to forget a harmful input command. Whitelisting is recommended.
- We can make use of programming languages’ built-in functions for filtering, like in PHP: “FILTER_SANITIZE_EMAIL”,” FILTER_SANITIZE_NUMBER_FLOAT”, etc.
- As mitigation measures, rating queries (for example, using LIMIT statements). Also, consider running them only in low privileged processes.
Yet, it is possible someone misses something, and the web app still has a sneaky way of being exploited.
Adding a good WAF is of key importance. It will filter maliciously crafted payloads and prevent automatized attacks.
How can BitNinja protect against SQLi Attacks?
BitNinja provides security in different key layers:
- WAF 2.0 module is a fast Nginx-based full transparent proxy in charge of filtering the attacks coming to you.
- Captcha modules cover you against automation tools, checking if a bot or a human is making a request.
- BitNinja Real-Time IP reputation counts with a vast list of malicious IPs worldwide. Attempts of connection coming from these are blocked.
- Sense Log module is a resource-friendly log analysis tool. It will detect and block malicious IPs and brute force attempts.
- Malware Detection module will protect you if an attacker compromises your web app.
Why is it different from other WAF solutions?
BitNinja WAF 2.0…
…lets you set filters for each domain.
…gives you the lasts patches! Periodically, new WAF rules are updated to cover the lasts CMS vulnerabilities. Outdated components are one of the most common attack vectors. You are covered.
…takes care of having a low rate of false positives.
How? With a pre-defined and tested ruleset and also sending false-positive reports automatically.
BitNinja Real-Time Reputation contains information on 100,000,000 IP addresses worldwide!
The default setup is tested to avoid false positives. BitNinja also uses the concept of “Greylists” to better handling these cases.
BitNinja Malware detection module runs automatically with no configuration. Also, it is AI-powered.
Example for SQLi Attack
Let’s see how automated exploitation would work using the popular tool sqlmap.
For demonstration, we will use the following known vulnerable site meant for these tests.
As we can see, the PHP function “listproducts.php” has a GET parameter “cat” where numbers are passed to display different pages.
Sqlmap works by trying several typical injection commands for different databases (MySQL, SQL, Oracle, etc.).
Many parameters can be specified for the program to work better.
- The underlying database technology (if it is known).
- Which type of injection is likely to be present.
- User-agent for bypassing firewalls.
If nothing of this is given, anyway sqlmap will make its assumptions, assess, and exploit if possible.
If not run in batch mode, the injection process is guided, and options to refine the process are given:
A vulnerability was found! More than one type of injection succeeded:
And we got the databases listing:
Following, we could use sqlmap for getting tables, columns, users. For downloading all the databases. Even for trying to get a shell in the underlying system.
BitNinja would have detected the automated attack and black-listed the malicious IP.
SQL Injection (SQLi) FAQs
How may I detect SQLi attempts by looking in my log files?
Check if present:
- A larger quantity of new queries than usual.
- Unique and/or unusually structured queries.
- Queries which output is not relevant for your application. Yet, they reveal information about the database structure.
How BitNinja Malware Detection Module protects you against SQLi?
BitNinja Captcha and WAF 2.0 modules are your first defense lines against an SQLi attack.
However, if the attack succeeds, the attacker may try to infect your web app with malware. Or install a backdoor. Or get to the underlying system.
Now, BitNinja Anti-Malware Module comes into play. It analyzes all files, blocks involved malicious IPs and goes till the end to detect the infection origin.
SQL injection attacks are still of big concern nowadays. Cybersecurity is not optional anymore. It is a must! If you haven’t tried BitNinja yet, don’t forget to register for the 7-day free trial! No credit card needed!
Let’s make the internet a safer place together!