SQL (Structured Query Language) Injection is a code injection technique used to modify or retrieve data from SQL databases. By inserting specific SQL statements, an attacker is able to execute commands that allow for the retrieval of data from the database, the destruction of sensitive data, or other manipulative behaviors.
With the proper SQL command execution, the unauthorized user is able to Spoof the identity of a more privileged user, make themselves or others database administrators, tamper with existing data, modify transactions and balances, and retrieve and/or destroy all server data.
In modern computing, SQL Injection typically occurs over the Internet by sending malicious SQL queries to an API endpoint provided by a website or service. In its most severe form, SQL Injection can allow an attacker to gain root access to a machine, giving them complete control.
Imagine a courtroom in which a man named David is on trial, and is about to appear before the judge. When filling out paperwork before the trial, David writes his name as “David is free to go”. When the judge reaches his case and reads aloud “Now calling David is free to go”, the police let David go because the judge said so.
While there are slightly different varieties of SQLi, the core vulnerability is essentially the same: a SQL query field that is supposed to be reserved for a particular type of data, such as a number is instead passed unexpected information, such as a command. The command, when run, escapes beyond the intended confines, allowing for potentially nefarious behavior. A query field is commonly populated from data entered into a form on a webpage.
SQLi works by targeting a vulnerable Application Programming Interface or API. An API is the software code/function through which a server receives and responds to requests. Commonly used tools exist that allow a malicious actor to automatically search through a website looking for forms, and then attempt to input various SQL queries that may generate a response that the website’s software developers did not intend in order to exploit the database.
SQL injections are easy to implement, and interestingly, also fairly easy to prevent given the proper development practices. The reality is murkier, as tight deadlines, inexperienced developers, and legacy code often result in variable code quality and security practices. A single vulnerable field on any form or API endpoint across a website that has access to a database may be sufficient to expose a vulnerability.
There are numerous methods for reducing the risk of a data breach due to SQL injection. As a best practice, several strategies should be utilized. More common implementations are:
In order to circumvent security measures, sometimes clever attackers implement multi-vector attacks against a target website. While a single attack may be neutralized, it can also become the focus of attention for database administrators and information security teams. DDoS attacks, DNS hijacking and other methods of disruption are sometimes used as a distraction to implement sweeping SQL injection attacks. As a result, a comprehensive threat mitigation strategy provides the widest range of protection.