How do we avoid SQL Injection Attacks?
Structured Query Language (SQL) is a language designed to manipulate and manage data in a database. A SQL injection (SQLi) attack is a common type of cybersecurity attack that targets databases using specifically crafted SQL statements to create interferences with queries that an application makes to its database. A SQLi attack generally allows an attacker to view data that they are not normally able to retrieve, such as data belonging to other users or any other data that the application itself is able to access. A SQL attacker can modify or delete that data, or they could escalate an SQLi attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack. Other actions that a SQLi attacker could take include bypassing authentication, exfiltrating data, running arbitrary code, or gaining root access to the system itself.
Some common SQLi examples include retrieving hidden data (modifying SQL query to return additional results), subverting application logic (changing a query to interfere with application’s logic), UNION attacks (retrieving data from different database tables), examining the database (extracting information about the version and structure), and blind SQLi (results of a query you control are not retuned in the application’s responses).
Common types of SQL injection attacks include:
- Unsanitized input. The attacker provides user input that isn’t properly sanitized for characters that should be escaped or the input isn’t validated to be the correct or expected type.
- Blind SQLi or inferential SQL injection. Rather than revealing data directly from the target database, the attacker closely examines indirect clues in behavior (details within HTTP responses, blank web pages, how long it takes the database to response to certain user inputs, etc.).
- Out-of-Band injection. An attacker will craft SQL statements that will trigger the database system to create a connection to an external server controlled by the attacker.
How to prevent SQL injection attacks:
- Do not use dynamic SQL. Avoid placing user-provided input directly into SQL statements, prefer parameterized queries and prepared statements, use stored procedures.
- Limit database permissions and privileges. Set the capabilities of the database user to limit privileges.
- Avoid displaying database errors. Attackers use database error messages to gain information about the database.
- Sanitize user-provided inputs. Be sure to properly escape characters that should be escaped, verify that the type of data submitted matches the expected type of data.
- Do not leave sensitive data in plaintext. Encrypt sensitive data being stored in the database, salt the encrypted hashes.
- Use a web application firewall (WAF) for web applications that access databases. WAF helps to identify, and possibly prevent, SQLi attempts.
- Use a web application security testing solution for database-interacting web apps. This helps to catch new bugs or regressions that could allow SQLi.
- Keep databases updated. Prevent attackers from exploiting known weaknesses/bugs present in older versions by applying the latest available patches.