SQL Injection is one of the most widely exploited web application vulnerability of the web 2.0 era. SQL Injection is used by hackers to steal data from online businesses’ and organizations’ websites. This web application vulnerability is typically found in web applications which do not validate the user’s input. As a result, a malicious user can inject SQL statements through the website and into the database to have them executed.
NOTE: This article gives an overview of what is the SQL Injection vulnerability. If you are looking for more technical information about all the different variants of the SQL Injection vulnerability, refer to the SQL Injection cheat sheet.
Nowadays all online businesses are using database driven web applications to sell products and services to their customers and share real time information with their business partners. Be it a news website, an online shopping website, blog, social network website or an enterprise resource planning system, all of these web applications have access to and interact with an online backend database.
It is typical for people browsing the internet to read data from an online backend database, most of the time without even realizing. When you search for a pair of running shoes on an online shopping website or check the balance of your bank accounts through an e-banking web application you are retrieving data from the backend database through the web application.
On the other hand, if you register to a news website, blog or forum, submit credit card details to an online shopping website or make an update on a social network website, you are writing data to an online backend database through the web application.
One of the main problems with database driven web applications is that if the user input is not properly sanitized, a hacker will take advantage of such situation and use an SQL Injection hacking technique to pass SQL statements through the web application so they are executed by the backend database.
If your web application is vulnerable to SQL injection, a hacker is able to execute any malicious SQL query or command through the web application. This means he or she can retrieve all the data stored in the database such as customer information, credit card details, social security numbers and credential to access private areas of the portal, such as the administrator portal. By exploiting an SQL injection it is also possible to drop (delete) tables from the database. Therefore with an SQL Injection the malicious user has full access to the database.
Depending on your setup and the type of server software being used, by exploiting an SQL injection vulnerability some malicious users might also be able to write to a file or execute operating system commands. With such escalated privileges this might result into a total server compromise.
Unfortunately it is very difficult to determine the impact of an exploited SQL injection. Most of the times, if the hackers are well trained you won’t be able to detect the attack until your data is available to the public and your business reputation is going down the drain.
For this SQL injection example we will use a typical login page where users enter their credentials to login to a website or private portal.
When a user submits a username and password, the web application uses these credentials in an SQL query. This SQL query is sent to the backend database to be executed and depending on the result of the query, the website determines if the credentials are correct or not, thus allowing the user to access the portal or denying access. E.g. if the username is "admin" and the password is "12345678", the web application sends an SQL query similar to the one below to the database to verify the credentials:
SELECT * FROM Users WHERE name = 'admin' AND password = '12345678'
Suppose a malicious user enters something like "test' OR 1 = 1--" instead of the username and anything else as password. In this case the SQL query will look like the below:
SELECT * FROM Users WHERE name = 'test' OR 1 = 1 --' AND password = 'xxxxx'
The above SQL statement will always return a true because:
Name= 'test' or 1 = 1will always return a true statement (1 OR 1 = 1)
2. The rest of the SQL Statement after the -- signs is commented out, i.e. that part of the query is not executed.
Since the database returned a true value, the malicious user was able to trick the web application and manages to gain access to a logged in session without the need to guess the credentials. This Type SQL injection vulnerability can also be used to retrieve further data from the database, such as table names and their content.
Even though this might look like a simple old school trick, many web applications are still being hacked today by exploiting a similar SQL Injection. There are many other more complex variants of SQL Injections and it is almost impossible to manually check if all the inputs in your web application are vulnerable to all variants of SQL injection.
Web applications need to have direct access to the backend database to be able to retrieve any information or save information to the database. The same applies to your customers. They need full access to your website. Therefore firewalls and other type of intrusion detection / prevention system will not block someone trying to exploit an SQL Injection vulnerability. The only way to check if your websites and web applications are vulnerable to SQL Injection is by scanning them with an automated web application security scanner such as Netsparker.
Netsparker is a dead-accurate and fully automated web application security scanner that can be used to identify web application vulnerabilities such as SQL Injection and Cross-site scripting in your web applications and websites. Download the trial version of Netsparker to find out if your websites are vulnerable.