SQL Injection: SQLi

Threat actors use the syntax of Structured Query Language (SQL) to inject commands that can compromise the original query and which can read or modify database records. SQL is an ANSI standard language used to communicate with database systems.

There may be fields designed by the software developers where the submission of an expanded result in SQL syntax will enable access to passwords or other sensitive information. SQLi attacks may allow access to data from anywhere within the database. Depending on the nature of the attack, the threat actor may be able to change or delete this data. 

SQLi examples include manipulation of the basic SQL functionality. This can include the retrieval of hidden data, whereby an SQL query is modified to return additional data. A union SQLi attack accesses and retrieves data from multiple database tables, and an SQLi attack that interferes with basic application logic such that the query can interfere with the execution of an application. 

An SQLi attack can result in access to passwords, personal information, credit card and other financial details. 

SQLi Attack Categories

Using SQLi a threat actor can bypass authentication and access, delete, or modify data within exploited databases. SQLi attacks can also be used to execute operating system level commands. This would allow a threat actor to escalate the attacks further. SQLi attacks may be categorized in several broad categories to include In-band SQLi, Inferential SQLi, and Out-of-band SQLi.

In-band SQLi. The threat actor uses a common channel of communication to both launch the attack and to collect the results. The two types of In-band SQLi are Error-based SQLi and Union-based SQLi.

Union-based SQLi. Union-based SQLi attacks utilize the UNION SQL operator. The Union operator combines the results of two or more queries into a single result set. This result set includes all the rows that belong to all queries within the Union. This result is then returned as part of the HTTP response. The response may contain data which can be utilized to further the goals of the threat actor.

Error-based SQLi. Error-based SQLi is an In-band SQLi technique variant that relies on error messages from the database server to determine information about the structure of the database involved. Error-based SQLi can be used to gather sufficient information such that an entire database could be enumerated. Typically developers set up these error messages during the development phase of building out a web application, but may leave them running. Best practice is to completely disable them on a live web site. Alternately, they may be instead logged to a file with restricted and highly limited access.

Inferential SQLi (Blind SQli)

The threat actor is able to reconstruct the database structure. They do this by sending various payloads, observing how the web application responds as well as the resulting behavior of the database server. In an SQLi attack no data is transferred via  the web application. The threat actor cannot see the result which is why this type of attack technique is designated as “blind.” The two types of Inferential SQLi are Boolean-based (or Content-based) Blind SQLi and Time-based Blind SQLi. 

Boolean-based (or Content-based) Blind SQLi. Boolean-based SQLi attack techniques rely on sending an SQL query to the database which results in the application returning a different result. This depends on whether the query returns a TRUE result or a FALSE result. The result will cause the content in the HTTP response to change, or perhaps remain the same. The threat actor can then determine if the payload used returned true or false, even though no data from the database is returned. This attack technique can be especially slow on a very large database as the threat actor would enumerate the database one character at a time. 

Time-based Blind SQLi. Time-based Blind SQLi attack techniques rely on sending an SQL query to the database which makes the database wait for a designated amount of seconds prior to responding. The response time allows the threat actor to determine if the result of the query is TRUE or FALSE. The HTTP response will return with a delay, or immediately. The threat actor can then determine if the payload returned TRUE or FALSE, even in the absence of the return of any data by the database. The Time-based Blind SQLi attack is also very slow, similarly to the Boolean-based Blind SQLi attack.

Out-of-band SQLi

The threat actor can only carry out this form of attack when certain features are enabled on the database server used by the web application. For this reason this type of attack is not commonly used. This form of attack is primarily used as an alternative to the in-band and inferential SQLi techniques.

Out-of-band SQLi is performed when the threat actor can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to deliver data to a threat actor.

Best Practices to Prevent Injection Attacks

Best practices to prevent injection attacks on your web applications include:

Use LIMIT commands. Use LIMIT commands within SQL operations to minimize the disclosure of data in case a SQL injection reaches your database.

Sanitization. All user-supplied data should be sanitized to remove character strings that could be executed as SQL commands. Sanitization replaces executing commands found within user data with non-executable characters.

Use a secure API. Use a secure API for all database access.

Validate and filter user supplied data. All user supplied data should be validated by limiting the format, length, and other attributes of permissible inputs. Occurrences of SQL commands or other malicious code should be filtered.