How does a SQL injection attack work?
Understanding one of the simplest, yet most-effective, methods of cyber attack
If you're at all familiar with web development, you've probably heard of SQL injection attacks. They're among the most commonly-used forms of cyber attack, largely because they're so simple to learn and execute. Don't be fooled, though - that doesn't make them any less dangerous. They can be devastating in effect, and many a company has fallen foul of them.
The reason SQL injection attacks can prove so fearsome is that a large proportion of the web is built on SQL databases, including the ones provided by the likes of Microsoft, Oracle and SAP. This makes SQL injection one of the most versatile attack methods in a hacker's arsenal, and it's usually among the first tools used as part of a breach attempt.
What is SQL injection?
To analyse how SQL injection works we first have to establish what SQL is. In short, SQL (or structured query language) is a programming language designed to manage large databases, such as the kind used by web applications. SQL is used to modify, retrieve and reorganise the data within a database with text-based commands.
A SQL injection attack is when a third party is able to use SQL commands to interfere with back-end databases in ways that they shouldn't be allowed to. This is generally the result of websites directly incorporating user-inputted text into a SQL query and then running that query against a database. How this works in a non-malicious context is that the user-inputted text is used to search the database - for example, logging in to a specific account by matching it based on the username and password entered by the user.
In a SQL injection, however, this process is hijacked to perform unauthorised functions. To use a simple example, the attacker could make use of the query process outlined above by using another SQL command to override the query's logic. The standard SQL query is designed to log into an account once it finds one in the database that matches a specific set of inputs; therefore, if the attacker is able to amend the query so that it adds the condition 'OR 1=1', it means that every entry in the table will return a positive result. Under those conditions, the query will log into the first account it finds, which in most databases is a user with admin privileges.
This functions in a very similar way to cross-site scripting, another style of injection attack that involves hackers inputting malicious scripts into web forms to target user browsers.
One of the most common outcomes of a SQL injection attack is the theft of user data. Login credentials, email addresses or personal information can all be sold on the black market or exploited for further cyber attacks. The attack can also be used to knock applications offline by deleting tables from the database, or to add new information to the database.
How to defend against SQL injection
Like all programming languages, SQL is built around the use of certain characters and formatting structures to designate functions. SQL injection exploits this by using text input fields to introduce these elements into otherwise-benign queries, but it can be counteracted by 'sanitising' the user input sections throughout a website or application.
Adding a layer of abstraction allows you to strip out characters which are used in SQL queries but not whatever the input field concerns. The semicolon, for example, is used in SQL queries, but does not feature in names and is not permitted in email addresses, so anyone entering it into a text field designed to collect names or email addresses is almost certainly attempting a SQL injection attack.
A far more effective way, however, is to use parameterised queries. Rather than directly running a query based on user inputs, this method of database construction involves specifying the structure of the query beforehand and plugging the user input into predefined slots. This ensures that, even if the user does enter malicious SQL code into the text field, it will be safely wrapped within a larger query that doesn't recognise it as such.
It is also best practice to make sure that these safeguards are applied to all text input forms, rather than just those that connect to sensitive databases, as lateral movement and privilege escalation are common hallmarks of SQL injection attacks. You should also make sure that database error messages aren't displayed on public-facing websites, as these can give attackers more information about the structure of your databases to inform further attempts.
How have SQL injections been used?
SQL injections have been used in multiple cyber attacks over the last 20 years, often as an initial probe before other, more sophisticated tools and techniques are deployed.
SQL injection attacks should not be underestimated, however; it was the method behind 2015's mammoth TalkTalk breach, which resulted in the theft of more than 150,000 customers' personal information and a 400,000 fine for the company. Back in 2012, a group also used SQL injection attacks to steal 450,000 Yahoo users' login information, in one of a number of breaches that would hit the embattled web company in the following years.
According to a recent report from web security firm Akamai, SQL injection attacks have accounted for more than 65% of web-based attacks between November 2017 and March 2019, with the US and the UK topping the charts as the most frequently-targeted countries.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now