Day 7: OWASP Top 10 2021 – #3 Injection: SQL Injection Vulnerability

Structured Query Language or SQL

You can use SQL to access and manage databases. In 1986, the American National Standards Institute (ANSI) and the International Organization for Standardization (ISO) both adopted SQL as a standard.

What Can SQL do?
  • SQL is capable of running queries against databases.
  • From a database, SQL may obtain information.
  • A database can have records added using SQL.
  • A database’s records can be updated with SQL.
  • A database can have records removed using SQL.
  • Create new databases using SQL.
  • SQL may set permissions on tables, procedures, and views
What is a database?

A database is a set of data that has been arranged for easy access and management. To make it simpler to access important information, you can organize data into tables, rows, and columns and index it.

What is a Query?

A database table or group of tables may be requested for data or information via a query. Structured Query Language (SQL) results or complicated results, such as trend analyses from data-mining technologies, may be used to generate this data as illustrations, graphs, or other types of complex results.

What is SQL Injection?

It is the act of adding or injecting SQL queries into an application’s input fields to force the application to provide the hacker with the desired data! An attacker can view data using SQL Injection that they would not typically be able to access. Data can include details on users, such as their credentials or personal information. An attacker can alter or remove this data, which will result in long-lasting changes to the application’s behavior or content.

SQL Injection can also be escalated to compromise the underlying server (or) other back-end infrastructure or perform a denial-of-service attack

How is SQL Injection implemented?

An attacker must first locate weak user inputs within the web page or web application to launch a SQL Injection attack. Such user input is used directly in a SQL query on a web page or web application that is vulnerable to SQL Injection. The assailant can input content. This material is the main component of the assault and is frequently referred to as a malicious payload. The database is then used to carry out malicious SQL statements when the attacker transmits this stuff.

In-band SQL injection (also known as classic SQL injection) The most prevalent and convenient SQL Injection attack is in-band SQL injection. When an attacker can start the attack and acquire data using the same communication channel, it is known as in-band SQL Injection.

Union-based SQL injection and error-based SQL injection are the two most popular methods of in-band SQL injection.

1. Error-based SQL injection: An in-band SQL Injection approach called error-based SQLi uses the database server’s error messages to gather details about the database’s structure. In rare circumstances, an attacker can enumerate an entire database using only error-based SQL injection.

2. Union-based SQL injection: Union-based SQL injection uses the UNION SQL operator to aggregate the results of two or more SELECT queries into a single result that is subsequently returned as part of the HTTP response. It is an in-band SQL injection technique.

3. Blind time-based SQL injection: Time-based SQL injection is an inferential SQL injection approach that relies on sending a SQL query to the database that makes the database wait for a predetermined length of time (in seconds) before responding. If a query returns TRUE or FALSE, the attacker will be informed by the response time. An HTTP response will either be returned instantly or after a delay, depending on the outcome. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned.

Consequences of SQL injection

Loss of secrecy is a common issue with SQL Injection vulnerabilities since SQL databases frequently contain sensitive information.

Authentication: It might be feasible to join a system as another user without having previously known the password if weak SQL commands are used to check user names and passwords.

Authorization: If authorization data is stored in a SQL database, a successful exploit of a SQL Injection vulnerability may make it possible to modify this data.

Integrity: Using a SQL Injection attack, it may be feasible to alter or even delete sensitive information, in addition to reading it.

Prevention of SQL Injection Vulnerability

The best two methods I can recommend to prevent SQL injection are;

  • Utilizing prepared statements, often known as parameterized queries.
  • To deliver the desired behavior, application functionality that inserts untrusted data into those portions of the query will need to adopt a new strategy, such as white-listing acceptable input values or employing alternative logic.
References To Get More Understanding of SQL Injection
  • https://portswigger.net/web-security/sql-injection
  • https://owasp.org/www-community/attacks/SQL_Injection

This will be all for the Day 7 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 😊