SQL Injection (SQLi) is the most common attack vector accounting for over 50% of all web application attacks nowadays.
It is a web security vulnerability that exploits insecure SQL code. Using that, an attacker can interfere with the queries an application makes to its database.
But it is not just "popular"; its consequences are also nasty!
A successful SQL injection attack can lead to unauthorized access to sensitive data. Such as passwords, credit card details, or personal user information.
Even worse, sometimes, an attacker can escalate an SQLi attack, and go for compromising the underlying server or back-end infrastructure. Or perhaps perform a denial-of-service attack.
The first case describes a complete takeover of the system, and the second, a complete loss of availability.
Data is the main actor in Information Technologies (IT) systems because this precious asset needs to be stored somewhere, somehow.
Database protocols, languages, and software oversee saving the heart of IT conveniently for a wide range of applications, and one of the most popular frameworks is named Structured Query Language (SQL).
SQLi generally allows an attacker to access data they are not allowed to. This might include data belonging to other users or any other that the application itself can access, but not just that.
Depending on the vulnerability, an attacker can also modify or delete data—this way, causing persistent changes to the application's content or behavior.
Sometimes, an attacker can get a persistent backdoor way into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period.
Many high-profile data breaches have resulted from SQL injection attacks and this reputational damage and regulatory fines were just a part of the outcome.
One of the most significant breaches was suffered by several payment systems in 2008. Attackers stole 130 million credit and debit card numbers. The victims were the big names Heartland Payment Systems and the 7-eleven chain.
WordPress is a usual target.
In 2018, it was discovered an SQLi vulnerability in a WordPress plugin installed on more than 500,000 web pages.
Just one month ago, security researchers found a vulnerable WordPress plugin (WP Statistics). Six hundred thousand websites have this popular component installed, so this new SQL injection flaw could allow the exfiltration of sensitive information.
SQL injection has officially 22 years old, and even though Information Security professionals developed plenty of guidelines and tools for detecting and avoiding this dangerous flaw, it seems to be feeling young and strong.
Beware that a successful SQL injection attack may show no symptoms!
This would be the case of an attacker retrieving your database's sensitive data, so it could rate its requests to remain anonymous.
Having data provided by a non-trusted source and SQL queries in the same process is risky.
These attacks result from improperly sanitized user input.
SQLi attacks can be classified considering:
The flaw is present inside a SQL "SELECT" statement. It is possible to
see the changes on the webpage content after performing an injection.
Usually, the payload takes the form of a "UNION SELECT..." SQL statement.
This SQLi is not frequently found nowadays. But, if present, an attacker would easily compromise the confidentiality of the web app.
Here is an example of vulnerable code:
This way, one entry of columns can be retrieved "userID, userName and userPassword" from table "articles":
When it is impossible to see the output or error messages.
This case is more common in practice. It is also more difficult to exploit.
Here the attacker will use small differences in the resulting webpage content, server response codes, or timing.
The target is to manipulate "WHERE" or "IF" SQL statements.
An example using timing:
#3. Injections in INSERT and UPDATE Statements
This case can be even worse than the previous ones. It may allow not only the exfiltration of sensitive information but also its modification. This way, compromising integrity. The resulting output after injection is usually displayed on the screen for these vulnerabilities.
SQLi is one of the oldest, most successful, and most prevalent attacks against web apps. You will not feel surprised to know there exist plenty of tools and frameworks to perform these attacks.
SQLMAP is the most popular tool. It is so specialized that it even includes techniques for:
SQL injection is not going anywhere soon.
According to Akamai "State of the Internet" report 2020, SQLi accounts for almost... 80% !! of all attacks against retail, travel, and hospitality web apps between 2018 and 2020:
The root solution is at the code level:
Yet, it is possible someone misses something, and the web app still has a sneaky way of being exploited.
Adding a good WAF is of key importance. It will filter maliciously crafted payloads and prevent automatized attacks.
BitNinja provides security in different key layers:
BitNinja WAF 2.0...
...lets you set filters for each domain.
...gives you the lasts patches! Periodically, new WAF rules are updated to cover the lasts CMS vulnerabilities. Outdated components are one of the most common attack vectors. You are covered.
...takes care of having a low rate of false positives.
How? With a pre-defined and tested ruleset and also sending false-positive reports automatically.
BitNinja Real-Time Reputation contains information on 100,000,000 IP addresses worldwide!
The default setup is tested to avoid false positives. BitNinja also uses the concept of "Greylists" to better handle these cases.
BitNinja Malware detection module runs automatically with no configuration. Also, it is AI-powered.
Let's see how automated exploitation would work using the popular tool sqlmap.
For demonstration, we will use the following known vulnerable site meant for these tests.
As we can see, the PHP function "listproducts.php" has a GET parameter "cat" where numbers are passed to display different pages.
Sqlmap works by trying several typical injection commands for different databases (MySQL, SQL, Oracle, etc.).
Many parameters can be specified for the program to work better.
For example:
If nothing of this is given, anyway sqlmap will make its assumptions, assess, and exploit if possible.
If not run in batch mode, the injection process is guided, and options to refine the process are given:
A vulnerability was found! More than one type of injection succeeded:
And we got the databases listing:
Following, we could use sqlmap for getting tables, columns, and users. For downloading all the databases. Even for trying to get a shell in the underlying system.
BitNinja would have detected the automated attack and black-listed the malicious IP.
Check if present:
BitNinja Captcha and WAF 2.0 modules are your first defense lines against an SQLi attack.
However, if the attack succeeds, the attacker may try to infect your web app with malware. Or install a backdoor. Or get to the underlying system.
Now, BitNinja Anti-Malware Module comes into play. It analyzes all files, and blocks involved malicious IPs and goes till the end to detect the infection origin.
SQL injection attacks are still of big concern nowadays. Cybersecurity is not optional anymore. It is a must! If you haven't tried BitNinja yet, don't forget to register for the 7-day free trial! No credit card is needed!
We are always happy to help you! If you have any questions, check out our Knowledgebase, feel free to ask at info@bitninja.io, or you can even reach us on the Dashboard chat!
Let's make the internet a safer place together!
