SQL Injection: Defense Methods and Best Practices for Developers

[Man]

SQL injections remain one of the most dangerous and widespread vulnerabilities, leading to serious consequences and data leaks. In this article, we will look at why SQL injections remain a threat, how a secure programming culture helps minimize risks, and what security tools and methods should be used to protect databases from attacks.

SQL Injections: What They Are and Why They Are Dangerous​

SQL injection is an attack method in which attackers inject malicious SQL queries into a system through vulnerable input fields of web applications. For example, forms, search strings, or URLs. In SQL injection, an attacker manipulates SQL queries sent to the server, which allows them to bypass the authentication system, gain unauthorized access to data, and change or delete data in the database.

SQL injections are considered one of the most dangerous vulnerabilities, as the consequences of their implementation can be extremely destructive. An attack can lead to a leak of personal data of clients, financial information and internal documentation of the company, which, in turn, entails reputational and financial losses. Moreover, access to the database allows attackers to change data, damage business logic or even block the entire service. In some cases, SQL injections become the starting point for more complex attacks that threaten the integrity and security of the entire company system.

The Role of Secure Coding Culture in Preventing SQL Injection​

SQL injections remain one of the most common and dangerous threats, as even a small vulnerability in the code can open access to confidential data. A secure programming culture allows you to implement SQL injection protection principles into the development process at every stage, from coding to final testing. Prioritizing security helps not only reduce risks, but also reduce potential costs of eliminating vulnerabilities in a working product.

Victor Timashkov.
Application Security Engineer, UCSB.

Security is a complex and continuous process that includes not only technical solutions, but also the implementation of secure development practices. A mature culture of secure programming assumes that each team member is aware of the risks associated with vulnerable code and consistently adheres to the required standards at all stages of software development. Creating a product that minimizes the likelihood of SQL injection requires a conscious application architecture, strict standards for processing user requests, and secure configuration of the DBMS client.

It is important to highlight key practices that help prevent SQL injections in the product being developed:

1. Using parameterized queries. The most basic and effective method. Unlike concatenating user input directly into a SQL query, using parameterized queries treats user input as data, not as part of a SQL command. This prevents malicious code from being interpreted as part of a query.
2. Validation and escaping of user input. You can never be absolutely sure that every request and every function is processed by the application safely. Product development should be based on the principle of zero trust in the data provided by the user. An effective step in this direction is escaping all special characters that can disrupt the logic of SQL query processing.
3. Enforce the principle of least privilege. Database accounts used by an application should have only the necessary access rights. This limits the potential risks in the event of a successful SQL injection.
4. Using static and dynamic analysis tools. Application Security Testing tools help to build application security testing procedures — they help to automatically identify potential vulnerabilities in the code, including SQL injections. Static analysis checks the source code based on the rules developed by the security team, and dynamic analysis checks the application during its execution. Often, development teams face a lack of experience in implementing and supporting AST tools. In response to this problem, our team created the Apsafe product, which provides continuous security analysis, helping companies cope with the growing challenges in the field of application security.

Practices such as parameterized queries, data validation, and restricting access rights are particularly important for preventing SQL injections. These measures create a solid security foundation, minimizing the risks of SQL injections at the code level.

Best Tools and Approaches for SQL Injection Testing​

Effective SQL injection detection requires a comprehensive approach using static and dynamic code analysis. Static analysis checks the source code for potential vulnerabilities without running the application. This method helps detect SQL injections early in the development process by identifying vulnerable code sections. Dynamic analysis tests the application in production mode, simulating real attacks to identify vulnerabilities. It is useful for identifying vulnerabilities in already running applications and allows you to see how the application responds to malicious requests.

Georgy Elfimov.
Leading Expert of the Security Analysis Department at Angara Security.

The most effective approach to testing a web application is an individual approach, in which we take into account the size of the web application, identify the technologies used to work with the DBMS and potential user input points that are most likely to be embedded in a query to the DBMS.

For example, when working with a web application developed using the Word-Press CMS, we can assume that the built-in CMS mechanisms are not susceptible to SQL injection vulnerability and focus our attention on the custom components of the web application, and also assume that mysql or mariadb is used as the DBMS.

With small web application sizes and comfortable testing time frames, we can pay attention to each potential user input point and manually conduct the appropriate checks or manually configure automated checks for each user input point. For automated point testing, the most effective and widespread tool is the sqlmap utility, which supports flexible configuration of testing parameters, a large number of known DBMS and techniques for detecting, exploiting and post-exploiting SQL injection. This tool also allows you to fine-tune payload obfuscation, which can be extremely useful for bypassing filtering and security tools.

When testing a large web application, you need to set priorities correctly. First, you need to cover all possible user input points with basic checks. Popular vulnerability scanners such as Acunetix, Nessus, BurpSuite Active Scan ++ and others are suitable for this task. Then you need to narrow the range of functionality to be tested and to those places where you can explicitly determine an appeal to the DBMS based on user input and use larger-scale point checks using the sqlmap utility. Finally, the result of the scanners and the sqlmap utility is processed and verified manually. Additionally, by determining with an experienced eye, any part of the functionality can also be tested manually.

Among the tools that help find SQL injections, there are several popular and reliable solutions:

1. Burp Suite. This is a powerful web application security testing tool that supports dynamic analysis. Burp Suite allows you to automate vulnerability scanning and is especially effective in detecting SQL injections thanks to the Burp Scanner module.
2. SQLMap. An open source tool designed specifically for finding and exploiting SQL injections. SQLMap provides detailed analysis and supports many types of databases, making it one of the best solutions for professional testing.
3. OWASP ZAP (Zed Attack Proxy). This tool is also used for dynamic analysis and allows you to identify vulnerabilities in real time. OWASP ZAP is especially popular due to its user-friendly interface and wide functionality focused on automated SQL injection detection.
4. SonarQube. A static code analysis tool that checks code for vulnerabilities, including SQL injections, at the development stage. SonarQube integrates well with various development environments and supports many programming languages.

The most effective way to detect SQL injections is a combination of dynamic analysis with tools like Burp Suite and OWASP ZAP, and static analysis using solutions like SonarQube. Together, they help detect vulnerabilities both during development and in a running application, providing multi-layered protection against SQL injections.

Access control and SQL injection mitigation​

Database access control is one of the most important security methods that helps reduce the impact of SQL injections. The key principle here is to provide each user and application with access only to the data and functions that they really need.

Alexey Morozkov.
Head of the Cybersecurity Management Center Group ICL Services.

The main task of database access control is to limit the scope of data that an attacker will have access to after successful exploitation, as well as to limit the list of available actions. For example, the absence of privileges to write, update and delete information from the database, even if read access was obtained. The principle of least privileges will help with this, using separate users for each application to connect to the database, with access only to those tables, fields, or stored procedures that the application needs. SQL views that limit read access to specific table values also allow you to improve granular access control.

In particular, I would recommend looking at the mechanisms through which arbitrary code is executed for a specific DBMS (for example, by dumping data to disk and then loading it as a stored procedure), and withdrawing the rights necessary for this.

Even if a SQL injection does occur, there are several methods that can help limit the damage.

Nikita Titarenko.
Analyst Engineer, Cybersecurity Research Laboratory, Gazinformservice.

Among such methods, the following can be distinguished:

1. Restricting access rights for users and the application itself (while maintaining the application's functionality).
2. Separation of users on the machine by roles (administrator, application, user, etc.).

These methods allow you to limit the attacker's access to "sensitive" information. And to ensure a timely response to an attempt to exploit SQL injection and other web attacks, it is recommended to integrate WAF (Web Application Firewall) into the system architecture, which can also help minimize the consequences of exploitation.

These measures provide multi-layered protection by restricting access to critical functions and preventing large-scale data leaks or changes in the event of an attack.

To sum it up​

SQL injections remain one of the most common threats, despite progress in information security. The problem is that vulnerabilities can appear even in new applications due to insufficient attention to the culture of secure programming, untimely software updates, and lack of control at all stages of development. SQL injections are not only potential access to data, but also a risk to reputation, customer privacy, and the financial stability of a business.

Effective protection against SQL injection requires a comprehensive approach: from secure programming with minimal access rights to regular analysis and testing. Using proven tools and implementing a security culture at all levels of the company will help minimize the risks of SQL injection and protect critical data, maintaining business resilience to cyber threats.

Source