SQL injections: how to detect and protect yourself

[Father]

Applications and websites today often use databases based on the SQL language. The web application uses it to generate a request to access the required page and search the database for the necessary information.

It is precisely because of the prevalence of the SQL language that SQL injection or injection of SQL code is one of the most popular ways to attack sites, programs, and applications that work with databases. The implementation of such a vulnerability gives the criminal the opportunity to interfere with the program's requests to its databases.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

SQL injection is an attack that involves injecting arbitrary SQL code into a legitimate database query. For example, you have a web application – an online store where information about products is stored in the database. When you select the desired product on the site, you add it to the shopping cart, and the site logic calculates the total cost. If you disrupt the interaction of the application with the database by changing queries to this database, you can, for example, change the cost of products in the shopping cart.

An attacker can use SQL injection to make changes, add and delete data. In addition, a hacker can gain access to passwords and other confidential information, as well as make changes to the commands of the resource that is being attacked.

Types of injections​

Traditionally, there are 3 types of SQL injections: classic SQL Injection, blind SQL Injection, and out-of-band Injection (an attack carried out only by exceeding the capacity of the socket opened between the client and server). Each of them is divided into subtypes, and SQL injection attacks are also mixed.

SQL Injection is divided according to the methods of operation:

1. SQL injection union-an attack is performed by using the SQL Union operator to combine multiple tables and get data from adjacent tables (there is no direct access to it).
2. SQL-injection boolean-called blind injection. Here, the database management system does not issue any errors as such, and the query is designed so that, for example, it can monitor the delay in executing the entered commands. Information is extracted based on the response to conditional expressions.
3. Blind SQL injection based on Boolean operations (or infinitive SQL injection)-several valid statements are passed to the HTTP request parameter, the result of which is true and false. By comparing the response page between both conditions, the attacker can infer whether the injection was successful or not.
4. Temporary blind SQL injection (sometimes called full blind SQL injection)-special SQL queries are passed to the HTTP request parameter, which cause the database to pause for a certain period of time. By comparing the response time between normal queries and at different time intervals, an attacker can determine whether the SQL query was executed successfully.
5. SQL-injection error based-an attack aimed at getting errors from databases so that the attacker can form an idea of their architecture.

Different database management systems have their own subtleties in implementing each type of attack. Experts note that typical attacks usually work if there are vulnerabilities in the web applications themselves. To protect yourself from an attack or reduce its effectiveness, first of all, you need to understand that the attack was based on SQL injection.

Implementing SQLi in a web application has the following features:

• mismatch between input and output data. Cases where the results returned by the web application do not match the expected results or contain incorrect data may indicate the introduction of malicious SQL code.;
• invalid data. If the data entered by the user does not pass verification on the server, it can be used to inject malicious code into database queries.;
• unexpected error messages. If the web application returns unexpected error messages, such as "SQL error", "insufficient access rights", or "invalid password", this may also be a sign of SQL injection;
• unusual requests: Unusual requests found in the web server logs, such as requests to change your password or retrieve sensitive data, may indicate SQL injection.

In addition, you can determine that an SQL attack has been committed on your resource by increasing the load on it. Overloading the server as a result of an abnormally large number of database requests may also indicate that an SQL injection was made.

How to protect yourself from SQL injections​

Regardless of the type and method of attack, you cannot completely protect yourself from SQL injection, there is always a risk of falling under such an attack. But most of all, those who already have vulnerabilities in the system are at risk. With a good security system and adhering to certain rules, an SQL attack can be prevented or hindered.

Evgeny Andryukhin
Awillix Penetration Testing Specialist

An attack based on SQL injection is not 100% preventable, it's like a Chekhov's gun. If someone wrote include <sqllite. h>, it means that sooner or later it will fire, just like any third-party product. Therefore, it is necessary to review patches, do taint analysis of data flows, purchase WAFs and local host behavior analyzers. And it still won't help you, but at least you'll catch 1-day scripts that use stupid forking methods like runtime. exec("cmd.exe -c' net user Vasyan 1q2w3e4f /add'").

To prevent an attack based on SQL injection or make it more difficult to perform, you must:

• update the software on an ongoing basis to eliminate the presence of vulnerabilities;
• use WAF firewalls to protect web applications, as well as IDS/IPS intrusion detection systems;
• restrict access to databases by granting it only to those users and services that need it to work;
• perform checks for the correctness and security of the data entered by the user. For example, check that the entered value is a number or string, excluding special characters that can be used in SQL injections.;
• use parameterized queries. This means that queries use parameters instead of specific values. This approach avoids the introduction of malicious code, since the parameters in the request are interpreted as data, not as code.

The main idea of preventing an SQL injection attack is to filter what the web application sends to the database management system. Requests must be strictly formalized and properly restricted. Plus, it is very useful to use specialized application-level firewalls-Web application firewall. They are designed to protect against various types of attacks on web applications, including injection attacks. As a rule, they already contain signatures for typical methods of exploiting this vulnerability.

Real-life examples​

Since most web applications use the SQL language, the number of high-profile examples of cyber attacks based on SQL injection is sufficient. This type of attack is often used in conjunction with other attacks. So, in 2013-2014, Yahoo faced a series of attacks, including SQL injections, which resulted in the theft of personal data of more than 3 billion users.

Anton Kuznetsov
R-Vision Senior Information Security Engineer

One of the most striking examples of SQL injection is attacks targeting sites running WordPress. Last year, the most high-profile case was the presence of SQL vulnerabilities in more than 500 thousand sites based on this platform, this year 70 thousand sites were already vulnerable. Another high – profile example is that in 2017, Equifax, the largest credit bureau in the United States, was subjected to a large-scale cyber attack, as a result of which the data of more than 140 million people was compromised. One of the attack methods was SQL injection, which allowed hackers to gain access to the company's database.

In 2015, TalkTalk, a British Internet service provider, was attacked by attackers who used SQL injection. As a result, personal data of more than 150,000 customers, including bank card details, were stolen.

Evgeny Andryukhin
Awillix Penetration Testing Specialist

SQL injection is interesting in itself because of its extensive application. It is difficult to imagine conditions in which there would be no use of databases. Traditionally, it is customary to start searching for SQL injections in web applications – there are a huge number of stories with the name "SQL to RCE". Even being one of the most studied problems, SQL Injection is still often found in Security Bulletins of serious products. One of the biggest problems is the ability to adapt the attack to a specific product in order to bypass WAF.

In 2007, The Little Bobby Tables incident occurred. An article was published on the xkcd blog, which described the SQL injection that could occur if the user had the name "Robert"); DROP TABLE Students;--". This example became very popular and even got its own page in the SQLite documentation.

Conclusion​

As with any other network attack, it is 100% impossible to defend against an attack based on SQL injection. No one can guarantee complete security, but you can track the presence of vulnerabilities in your system.

With the help of a set of cybersecurity tools, compliance with the necessary rules and constant testing of your system, conducting checks on SQLi, you can achieve certain results and reduce the likelihood of SQL injection to a minimum.