SQL Injection

Many web applications store client-supplied information in relational database management systems, where data is managed using the Standard Query Language (SQL). SQL injection is a code injection attack in which an attacker supplies malicious SQL statements to user input fields that runs on the database to allow data corruption, authentication bypass, etc.

Attack Vector

For an SQL injection attack to succeed, an attacker must be able to supply malicious SQL statements into a webpage's input field, where the user input is used to construct SQL queries but is not correctly processed and sanitized.

Impact

The impact of a SQL injection attack can be quite detrimental. An attacker can tamper with data, make it unavailable by updating it or deleting it completely, or make all data available to anyone, imitate various users and gain access to restricted data or gain access by becoming an administrator of a system.Attack Examples

Example 1 - Authentication Bypass

A school website's login page has fields for username and password, which are used to construct the following SQL statement to retrieve the user's data:

SELECT * FROM users WHERE username = "<username>" AND password = "<password>";

If an attacker enters admin" OR 1=1-- as the username, the query becomes:

SELECT * FROM users WHERE username = "admin" OR 1=1--" AND password = "<password>";

Since the rest of the query after the username field is blocked out as comments, the attacker will be able to login as a user without knowing the correct password, successfully bypassing authentication.

Example 2 - Data Corruption

The same website has another grades table that contains the results of all the students. An attacker can enter alice"; DROP TABLE grades-- as the username, which produces the following SQL query:

SELECT * FROM users WHERE username = "alice"; DROP TABLE grades--" AND password = "<password>";

The SQL statement will return all the rows corresponding to the user, but also delete the grades table.

Historical Attacks

  • This vulnerability in the website of Grab, a ride-hailing company in Southeast Asia, allowed the exfiltration of sensitive data such as administrator users and their password hashes.
  • This vulnerability in the online payment system of Mossack Fonseca, the law firm in the center of the Panama Papers leak enabled a grey hat hacker to access customer data.

Defenses

The general strategy for SQLI defense is to properly parse SQL queries and escape special characters such that the an attacker cannot provide an input which changes the functionality of the query. Preforming this parsing is quite complete and it is essential to use established solutions, which are often included in programming languages and SQL API’s. It is common to use prepared statements and bind variables, that looks something like this:

PreparedStatement pstmt = conn.prepareStatement ("insert into EMP (ENAME) values (?)");
String name = request.getParameter("name");
pstmt.setString (1, name);  
pstmt.execute();  
pstmt.close();

Criteria for Demonstration

To demonstrate a SQL injection attack, provide the exact input required for the attack and where you submitted it (e.g. login page).


Other resources


eli32, jloh4