SQL injection explained
What is SQL injection
SQL injection
or SQLi
is type of injection attack
which is ranked 3rd
in owasp Top 10 as of 2021. It is one of the common attack vector in web applications that involves insertion or injection of malicious SQL code in the input data from the client to the back-end application. This inserted SQL code fits in the predefined SQL query changing the logic and its purpose to perform other malicious activities in the application.
Attackers can take advantage of the SQLi vulnerabilities to bypass the application security measures and/or modify(insert/update/delete) data in the database, read and write files in the remote server and executing operating system commands.
The impact SQL injection can have on a business or organization is far-reaching. A successful attack may result in the unauthorized viewing of user or client data, the deletion of database entries and maybe with enough privileges, the attacker can create account with administrative privileges to perform other dangerous activities.
When calculating the potential cost of an SQLi, it’s important to consider the loss of customer trust should personal information such as phone numbers, addresses, and credit card details be stolen.
Types of SQL injection attacks
SQL injection is categorized into three categories based on how and where the target server responds to the payloads.
In-band SQL injection
This type of SQLi occurs when the attacker uses the same communication channel to both launch the attack and receive the results or the response. It is the easiest type of SQL injection to exploit. It is further divided into to categories:
- Error based SQL injection
This sub-type of in-band SQL injection occurs when the database throws an error string to the client regarding the inputted data. The client can happen to be an attacker in this case and they might use the returned error to further enumerate the database i.e. database type and version which they might use specific attack for the specific database type or version.
- Union based SQL injection
This is another type of in-band SQL injection that leverages the use of UNION operator to combine the results of two Select statements that might contain sensitive information which is then displayed as part of the HTTP response.
Blind SQLi
In blind SQL injection the attacker might not receive a direct response as a HTTP response or error as we have seen in in-band SQLi but the attacker might be forced to send the payload on the malicious injected code and observe the web application’s response and behavior.
There are two sub-types in this category:
- Boolean-based blind SQLi
In this type of the attack, the response is based on whether the injected SQL code executes to TRUE or FALSE.
- Time-based blind SQLi
In time-based SQLi, the attacker sends a payload instructing the server to wait for a specific amount of time before responding if the query executed to TRUE or maybe pass if the query executed to FALSE.
Out-of-band SQLi
This type of attack relies on the ability of the database server to make DNS and HTTP requests. Attackers use this and send the request or in simple terms redirect the output or response to a remote server that the attacker controls.
This type of SQL injection attack is uncommon because of its dependency on whether some of this features are enabled in the database server.
READ MORE:
https://owasp.org/www-community/attacks/SQL_Injection
https://www.imperva.com/learn/application-security/sql-injection-sqli/
https://www.acunetix.com/websitesecurity/sql-injection/
https://www.invicti.com/learn/in-band-sql-injection/
https://www.invicti.com/learn/blind-sql-injection/
https://www.acunetix.com/websitesecurity/sql-injection2/