SQL injection occurred again, what should I do this time?

Injection-based security vulnerabilities are ranked No. 1 in the OWASP Top 10 Security Risks , they allow attackers to apply malicious code to information systems, and one of these mechanisms is SQL injection attacks. For web applications that rely on dynamic databases but lack sufficient input validation, SQL injection attacks can be used to access and manage back-end databases.
Note: SQL injection, also known as SQLi.
This article delves into the security risks based on SQL injection and various best practices and tools to prevent such attacks.
1.SQL Injection Vulnerability
2.SQLi Security Assessment
3.Types of SQLi Attacks
4.How an attacker can execute SQLi
5.Recent SQLi Attack Cases
6.How to Prevent SQLi Injection Attacks
7.Tools to prevent, detect and fix SQLi vulnerabilities
8.Summarize


【SQL injection occurred】SQL Injection Vulnerability


When malicious users perform SQL injection (SQLi) attacks, they usually intend to use malicious SQL statements to manipulate the web application's database server. This is usually done by hackers looking for vulnerable points in application firewalls, bypassing the authentication required to access and retrieve database content, and executing unauthorized SQL injection commands in the backend database.
Attackers often develop SQL injection commands to perform various malicious actions, such as:
•Retrieve user credentials in database
•Filter and capture critical system data
•Append new data to the database
•Delete tables and records from the database
•Access the operating system using the backend database server


Note: Common Vulnerability Scoring System Calculator

【SQL injection occurred】Types of SQLi Attacks


SQLi is a common and well-documented attack tactic that tends to have serious business consequences, such as unauthorized viewing of credentials and gaining administrative access to application databases.

In-band SQL Injection (In-band SQLi)
"In-band SQL injection," which means that the attacker can interact directly with the victim host, as if face-to-face. Some people say that there is an "information channel" between the attacker and the victim server, through which the attacker can obtain the desired information.
Error message based SQLi
Attackers rely on error messages in the database server to understand the database structure. Sometimes the error message can provide enough data to deduce the entire database structure and data. There are the following types:
SQLi based on union query
Union query SQL injection is the simplest type of injection. Usually, after judging the number of columns in the query result of the SQL statement through order by, use union select or other statements to directly query the data, and the data is directly echoed.

【SQL injection occurred】Logical Reasoning SQLi


In the logical reasoning SQLi technique, the hacker sends a malicious data payload and then uses the web application's response to rebuild the structure of the database server. In this, the web application doesn't actually retrieve the data, so attackers can't see the attack results using the same communication channel used to launch this type of attack. Logical reasoning SQLi, there are the following types:
Boolean based SQLi
Boolean injection, construct a Boolean statement to logically connect it with the previous one through AND. When this Boolean statement is true, the page should display normally, and when this statement is false, the page display is abnormal or less displayed. thing. It is worth noting that, in practice, the Boolean value may behave as HTTP 500 when it is false, HTTP 200 when it is true, and various other situations, which is also the true meaning of logical reasoning.
Time based SQLi
The principle is roughly as follows. When a query result is true, let the database wait for a certain period of time to return, otherwise return immediately, and the waiting performance is that the browser is not refreshed.
Under MySQL and MSSQL, when the query result is true, the time function is used to sleep, for example:
and if(ascii(substr(database(),1,1))>100,sleep(10),null)

Out-of-Band SQLi
Out-of-Band SQLi, or OOB for short.
In the SQL injection attack, the attacker's payload code is successfully executed, but due to various factors, the attacker cannot reply to the attacker's HTTP Request through HTTP Response, and the attacker cannot obtain the payload generated by this "channel". data. In OOB, the attacker constructs a special payload to allow the victim host to send an HTTP request or DNS query to the specified host, and these request packets carry the query result data.

How an attacker can execute SQLi
WebSQLi
When a web application asks for user input, some attackers provide SQL statements that run unknowingly on the database. This section explores how an attacker can generate valid SQL statements upon user input.

1=1 based SQLi
The attacker uses an OR statement to access all records in the table. When prompted for a user ID, the attacker enters 105 OR 1=1. If the web application lacks sufficient input validation, this statement is accepted and an SQL command of the form:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
This query accesses and displays all records in the users table because 1=1 is always TRUE.

SQLi based on "="
Attackers use OR statements to obtain combinations of related data. When prompted for a username and password, they enter "or" "=" in both fields. The database server then executes a command of the form:
SELECT * FROM Users WHERE Name=”” or “”=”” AND Pass=”” or “”=””
This command returns every row in the users table because OR "=" is always true for username and password.

SQLi based on batch statements
Modern database servers all support batch statements, which hackers may use to target specific records or tables. For example, when prompted for a user ID, they enter 105; DROP TABLE Suppliers. This will execute a valid statement of the form:
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;
This will delete the table named Suppliers from the user record.

Recent SQLi Attack Cases
A successful SQLi attack can be used to tamper with existing data, reveal critical information, and gain network administration privileges.
Examples of SQLi attacks on enterprise systems include:

Bulgarian National Tax Service data breach in 2019
On July 15, 2019, an anonymous hacker announced that they had successfully deployed a SQL injection on the servers of the state tax authority. Hackers extracted 11 GB of data in 57 folders containing the names and identities of more than 6 million people. The file information also includes citizens' social security payments, taxes, online betting data, debt, company and income information.

2020/2021 Accellion Data Breach
Attackers exploited a SQL injection vulnerability to gain initial access to Accellion's File Transfer Appliance (FTA) and lead to a massive data breach affecting multiple companies across various industries and countries. Victims' data started appearing on the ransomware forum CLOP LEAKS.

How to Prevent SQLi Injection Attacks
Preventing SQLi attacks is a complex and rigorous process, as prevention techniques vary depending on the programming language used, the SQL database engine, and the type of SQLi being processed. This section discusses tools and best practices for preventing SQL injection vulnerabilities.

Best Practices for Preventing SQLi Vulnerabilities
Some strategic principles and practices for protecting web applications from SQLi attacks include:
Training and Risk Awareness
Everyone involved in developing and managing applications should understand the risks and implications of SQL injection.
Filter user input
Database administrators should never trust user input. Both internal and external user input should be filtered and validated before the data is passed to the database server.
Use a whitelist-based filter
Attackers will always develop clever ways to circumvent blacklists. Whitelisting only allows certain users to access protected systems to prevent attacks.
Use newer web technologies
Software updates usually include patches for discovered vulnerabilities. Hackers often rely on these vulnerabilities to deploy malicious payloads. Development environments and frameworks that use the latest patch versions will meet compliance standards and protect web applications from attacks as most software organizations try to stay ahead of hackers.
Scan regularly
Attackers inject malicious input through vulnerabilities they find in system code. Therefore, security teams should conduct SQL vulnerability assessments with the right tools to find any possible vulnerabilities before attackers exploit them.

Practical tips for preventing SQL injection
To prevent SQL injection attacks, treat all user input as potentially malicious and follow some programming guidelines:
Filter user input
For an attacker to successfully perform SQL injection, he needs to implant some code that is run by the web application's database. Therefore, all user input should be validated first and restricted to the required characters. For example, you can ask users to enter usernames, passwords, and email addresses, etc., that are not special characters in the database. The following example filters out user input in PHP:

database mapping
Most modern web frameworks provide some abstraction for database processing. For example, Laravel provides Eloquent Query, an ORM framework in Java. Objects created are automatically converted and stored, or retrieved from the database. In the user registration example, the user object can be created in the following way:
$user = new User;
$user->username = $request->username;
$user->password = $request->password;
$user->email = $request->email;
$user->save();
The generated SQL statements are automatically sanitized and protected against SQL injection.
prepared statement
Database mapping, sometimes may not be used. In these cases, use prepared statements to create SQL queries. These forms of statements validate and sanitize user-supplied values, thereby preventing SQL injection. For example, in PHP you can create prepared statements in the following way:
Remark: In Java, this is also known as a prepared statement.
$stmt = $mysqli->prepare("INSERT INTO users(username, password, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $username, $password, $email) # "sss" here states, that three strings are expected.
$username = $request->username;
$password = $request->password;
$email = $request->email;
$stmt->execute();

Tools to prevent, detect and fix SQLi vulnerabilities
Regular SQL Vulnerability Assessment scans are the first actionable remediation to protect web applications from SQLi vulnerabilities. Below is a list of scanners that can help security teams identify and resolve SQLi vulnerabilities:
Crashtest Security
Crashtest Security is an end-to-end security testing suite that simplifies vulnerability scanning through rapid security assessments, risk reduction, and rich vulnerability reporting. Additionally, Crashtest integrates with multiple layers of the development stack, allowing teams to establish continuous testing processes and eliminate the attack surface of APIs and web applications.
The security platform also automates vulnerability scanning and provides security information seamlessly on web applications, allowing development teams to focus on clean code.
Acunetix
A complete security testing solution for distributed and stand-alone systems. Acunetix integrates seamlessly with market-leading development frameworks and comes with built-in vulnerability scanning and management capabilities. Acunetix also connects with third-party issue trackers to help with end-to-end vulnerability management.
Burp Suite
A web application security testing solution developed by PortSwigger that helps organizations combat threats through automated scanning. The suite also includes penetration testing capabilities that can be used to identify the impact of SQLi attacks on web servers. Available in Enterprise and Professional editions, the suite provides different vulnerability management tools for web application security.
Imperva Database Security
Imperva is a database risk and compliance management platform that provides analysis, response and protection for organizational data assets. The platform integrates with any database, so once Imperva is deployed, organizations can use its globally preconfigured reports, policies and templates.

Summarize
According to statistics, 8% of websites and web applications have at least one vulnerability. Additionally, attackers can exploit SQLi vulnerabilities in a number of ways to compromise web applications through unauthorized database access.
To address this, we help organizations protect their web applications and APIs from injection attacks through continuous vulnerability scanning and testing. Additionally, the secure platform fits seamlessly into the DevOps toolchain, enabling organizations to develop and deploy more secure javascript, web applications, and APIs.

Translation link: What Is SQL Injection? Types, Examples, Prevention (Updated)


Copyright statement: The content of this article is contributed by Alibaba Cloud's real-name registered users. The copyright belongs to the original author. The Alibaba Cloud developer community does not own the copyright and does not assume the corresponding legal responsibility. For specific rules, please refer to the " Alibaba Cloud Developer Community User Service Agreement " and " Alibaba Cloud Developer Community Intellectual Property Protection Guidelines ". If you find any content suspected of plagiarism in this community, fill out the infringement complaint form to report it. Once verified, this community will delete the allegedly infringing content immediately.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00