SQL Injection: Attacks by malicious code in website requests

12. January, 2024

SQL injection is the insertion of SQL code into a website to access the SQL databases behind it. This allows data to be read, but also modified or deleted. As this form of attack is very easy to carry out, it is widespread.

Today’s websites and web-based services typically use a two-tier architecture: In the foreground is the website with the server that communicates with the user’s device and handles the display. In the background, there is usually one or more servers with databases that store various additional information and provide other services.

This two-tier model is supposed to ensure that sensitive data is protected from attacks in the background. However, errors in web programming can sometimes easily bypass this separation. Since databases contain much more information than is displayed on the website, they are very attractive to attackers.

SQL injection is one of the most common cyber attacks

A popular method of such attacks is known as “injection”. By inserting special codes, commands and characters into login fields or the URL sent to the browser, a website can be made to do things it should not. Appropriate controls on the web server should prevent this. All too often, however, the necessary precautions and controls are forgotten when user data is entered. As a result, the “injection” vulnerability is ranked third among the top 10 website security vulnerabilities in 2021. [1]

There are several attack vectors that work by inserting additional commands. For example, malicious code can be injected through the login window of a web site. An attempt is made to exploit the underlying Lightweight Directory Access Protocol (LDAP) (LDAP injection). With the appropriate commands, a user’s privileges can be elevated on unprotected systems, data can be modified, or new accounts can be created. To protect web sites and forms, it is therefore advisable to validate user input, for example by excluding certain characters from the query. The global non-profit organization OWASP (Open Web Application Security Project) has published specific recommendations on how login processes with LDAP can be made more secure. [2]

Attacks on authentication and user data

It is often interesting for cyber criminals to ‘snoop’ directly into the database. Many systems use the standard SQL query language, which is understood by many databases. If an attacker succeeds in passing such commands directly to the system in the background by exploiting one or more programme and security vulnerabilities, unforeseen effects are possible. [3] Many scenarios are imaginable, from reading entire databases to infiltrating and manipulating information. It is therefore crucial to protect against these attacks by implementing robust security measures as a preventative measure. This helps to protect sensitive applications and data from potential attacks. [4]

In general, any user input can be used to inject malicious code. SQL injection in particular is common in PHP and ASP applications due to the widespread use of older functional interfaces. Other platforms may be more robust due to more recent developments. However, other systems may also be affected: XML databases can have similar issues (e.g. XPath and XQuery injection). Basic security measures also apply to these databases. The vulnerability of your own systems can also be determined by actively testing the security of web pages or forms. Experts try to anticipate typical problems with user input and access to additional sub-pages.

Top 3 countermeasures against SQL injection

The best precaution is to make the applications that access the underlying databases secure and restrictive in the first place. The focus is on improving the security of web services. OWASP provides a wealth of freely available information on how to identify and eliminate security vulnerabilities and risks in web applications. The following three methods are recommended in the “Cheat Sheet“ to prevent injection:

Only use prepared statements for database queries.
Use only correct procedures with very restricted parameters.
Always validate user input as accurately as possible.

Also note the important basic principle of only granting the visibility and access rights to data that are required.

The focus should always be on secure development and regular vulnerability testing. Web applications should have only the minimum rights and visibility of data required to perform the task at hand. This is because the development of an application is often started with admin rights, and then no security-related adjustments are made in the production system. The secure implementation and configuration of the database in the background must also not be neglected and must be checked regularly.

This might also interest you:

Ten tips for an improved website security
Recognise, understand and defend against info stealers
Data Loss Prevention: Protecting data from loss and unauthorised access

Sources:
[1] https://www.heise.de/hintergrund/Sicherheitsbedrohungen-im-Web-Die-groessten-Risiken-laut-OWASP-Top-Ten-2021-6271591.html
[2] https://owasp.org/www-community/attacks/LDAP_Injection
[3] https://www.w3schools.com/sql/sql_injection.asp
[4] https://owasp.org/www-community/attacks/SQL_Injection