SQL injection is a cyberattack that takes advantage of poor input validation in SQL queries. If an application uses untrusted user input in an SQL query to a database, then deliberately malformed user input may be able to modify the query. SQL injection attacks can be used to access, modify, or delete data from the database.
Applications that perform SQL queries based on user input are potentially vulnerable to SQL injection attacks. For example, a web application may use SQL queries to implement an authentication process. The user provides their username, which the application uses to look up the hash of the password for that user’s account. If the hash of the user-provided password matches this password hash, then the user successfully authenticates and gains access to their account.
If the web application does not perform validation on the username before including it in an SQL query, then a deliberately malformed username could be misinterpreted by the program. For example, SQL queries commonly use single quotes (‘) or double quotes (“) to denote data in a command. For example, a command to look up a customer’s record in a database based on the username user might be SELECT * FROM customers WHERE username=”user”.
An attacker performing an SQL injection attack against his command could include a double quote character in their input to have some of their data interpreted as code. For example, consider the username user” OR “1”=”1.
When inserted into the SQL query, the query becomes SELECT * FROM customers WHERE username=”user” OR “1”=”1”. Instead of looking for records where the username matches the user-provided value, this query will return records that match either of two conditions. The first is the intended test username=”user”, which would return the user’s record.
The second condition is the test “1”=”1”. Since this is always true, it will return all records in the database. This could allow the attacker to extract sensitive information about other users or potentially may allow the attacker to bypass authentication or authenticate as another user.
SQLi attacks can be used to achieve different purposes and can be performed in various ways. The three main types of SQLi include:
SQLi attacks take advantage of poor input validation when using untrusted data for SQL commands. Many SQLi attacks involve using an unexpected character, such as a single or double quote, within user input.
Performing input validation before including user-provided data within SQL queries can help to reduce the threat of SQLi attacks. For example, an application could restrict user input to a particular set of characters, such as allowing only alphanumeric usernames, or block certain characters from being included within user input. However, input validation, while important, is not enough to protect against SQL injection attacks. Attackers may be able to bypass allowlists or blocklists by using unexpected combinations of characters to evade blocks.
For this reason, companies should also deploy a web application firewall (WAF) or, ideally, Web Application and API Protection (WAAP) in front of web applications and APIs that perform SQL queries. These solutions can help to identify and block malicious requests that attempt to exploit SQLi and other attacks against web applications and APIs.
SQLi attacks are one of many attacks that pose a threat to an organization’s application security (AppSec). Organizations need security solutions that can protect their Internet-facing applications and databases both on-prem and in the cloud.
Check Point CloudGuard AppSec provides automated WAAP capabilities that learn how an application works and prevents illegitimate and malicious requests from reaching vulnerable applications. To learn more about CloudGuard AppSec and its ability to protect against SQLi and other attacks, check out this ebook. You’re also welcome to sign up for a free demo to see the capabilities of CloudGuard AppSec for yourself.