What is SQL injection (SQLi)?

SQL injection is a cyberattack that takes advantage of poor input validation in SQL queries. If an application uses untrusted user input in an SQL query to a database, then deliberately malformed user input may be able to modify the query. SQL injection attacks can be used to access, modify, or delete data from the database.

Download the eBook Schedule a Demo

What is SQL injection (SQLi)?

How an SQL Injection Attack is Performed

Applications that perform SQL queries based on user input are potentially vulnerable to SQL injection attacks. For example, a web application may use SQL queries to implement an authentication process. The user provides their username, which the application uses to look up the hash of the password for that user’s account. If the hash of the user-provided password matches this password hash, then the user successfully authenticates and gains access to their account.

If the web application does not perform validation on the username before including it in an SQL query, then a deliberately malformed username could be misinterpreted by the program. For example, SQL queries commonly use single quotes (‘) or double quotes (“) to denote data in a command. For example, a command to look up a customer’s record in a database based on the username user might be SELECT * FROM customers WHERE username=”user”.

An attacker performing an SQL injection attack against his command could include a double quote character in their input to have some of their data interpreted as code. For example, consider the username user” OR “1”=”1.

When inserted into the SQL query, the query becomes SELECT * FROM customers WHERE username=”user” OR “1”=”1”. Instead of looking for records where the username matches the user-provided value, this query will return records that match either of two conditions. The first is the intended test username=”user”, which would return the user’s record.

The second condition is the test “1”=”1”. Since this is always true, it will return all records in the database. This could allow the attacker to extract sensitive information about other users or potentially may allow the attacker to bypass authentication or authenticate as another user.

Types of SQL Injection

SQLi attacks can be used to achieve different purposes and can be performed in various ways. The three main types of SQLi include:

  • In-Band SQLi: In-band SQLi attacks use the same medium, such as an HTTP request, to perform their attacks and collect results. Two common forms of in-bound SQLi attacks are error-based SQLi attacks, which attempt to generate error messages that provide information about the target database for use in attacks, and union-based SQL, which uses the SQL UNION operator to merge SQL SELECT statements.
  • Blind SQLi: In a blind SQLi attack, the attacker does not receive data from the server based on their requests. Instead, the attacker modifies their attacks based on the server’s behavior. For example, different inputs may cause an operation to succeed or fail or impact the amount of time that an operation takes to perform.
  • Out-of-Band SQLi: Out-of-band SQLi attacks perform an attack over one medium and collect data over another. This attack relies on the availability of certain features on the database server. For example, an attacker may measure the success of an SQLi attack based on whether they could force the database server to generate HTTP or DNS requests to an attacker-controlled server.

How to Prevent SQLI

SQLi attacks take advantage of poor input validation when using untrusted data for SQL commands. Many SQLi attacks involve using an unexpected character, such as a single or double quote, within user input.

Performing input validation before including user-provided data within SQL queries can help to reduce the threat of SQLi attacks. For example, an application could restrict user input to a particular set of characters, such as allowing only alphanumeric usernames, or block certain characters from being included within user input. However, input validation, while important, is not enough to protect against SQL injection attacks. Attackers may be able to bypass allowlists or blocklists by using unexpected combinations of characters to evade blocks.

For this reason, companies should also deploy a web application firewall (WAF) or, ideally, Web Application and API Protection (WAAP) in front of web applications and APIs that perform SQL queries. These solutions can help to identify and block malicious requests that attempt to exploit SQLi and other attacks against web applications and APIs.

SQLi Prevention with Check Point

SQLi attacks are one of many attacks that pose a threat to an organization’s application security (AppSec). Organizations need security solutions that can protect their Internet-facing applications and databases both on-prem and in the cloud.

Check Point CloudGuard AppSec provides automated WAAP capabilities that learn how an application works and prevents illegitimate and malicious requests from reaching vulnerable applications. To learn more about CloudGuard AppSec and its ability to protect against SQLi and other attacks, check out this ebook. You’re also welcome to sign up for a free demo to see the capabilities of CloudGuard AppSec for yourself.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK