How does a SQL injection attack work?
Understanding one of the simplest, yet most effective, methods of cyber attack
If you're at all familiar with web development, you've probably heard of SQL injection attacks. An SQL injection is number one on the OWASP Top 10, a list of the most critical web application security risks, and can have a devastating effect.
They’re simple to learn and execute, and so they’re one of the most commonly used forms of cyber attack. They’re also fairly simple to defend against, yet they’re a commonplace attack method on social media sites, online retailers, universities, and against SMBs who don’t have the know-how or resources to prevent these attacks.
The reason SQL injection attacks can prove so fearsome is that a large proportion of the web is built on SQL databases, including the ones provided by the likes of Microsoft, Oracle, and SAP. This makes SQL injection one of the most versatile attack methods in a hacker's arsenal, and it's usually among the first tools used as part of a breach attempt.
What is SQL injection?
To analyse how SQL injection works we first have to establish what SQL is. In short, SQL (or structured query language) is a programming language designed to manage large databases, such as the kind used by web applications. SQL is used to modify, retrieve and reorganise the data within a database with text-based commands.
A SQL injection attack is when a third party is able to use SQL commands to interfere with back-end databases in ways that they shouldn't be allowed to. This is generally the result of websites directly incorporating user-inputted text into a SQL query and then running that query against a database. How this works in a non-malicious context is that the user-inputted text is used to search the database - for example, logging in to a specific account by matching it based on the username and password entered by the user.
In a SQL injection, however, this process is hijacked to perform unauthorised functions. To use a simple example, the attacker could make use of the query process outlined above by using another SQL command to override the query's logic. The standard SQL query is designed to log into an account once it finds one in the database that matches a specific set of inputs; therefore, if the attacker is able to amend the query so that it adds the condition 'OR 1=1', it means that every entry in the table will return a positive result. Under those conditions, the query will log into the first account it finds, which in most databases is a user with admin privileges.
This functions in a very similar way to cross-site scripting, another style of injection attack that involves hackers inputting malicious scripts into web forms to target user browsers.
One of the most common outcomes of a SQL injection attack is the theft of user data. Login credentials, email addresses or personal information can all be sold on the black market or exploited for further cyber attacks. The attack can also be used to knock applications offline by deleting tables from the database, or to add new information to the database.
How to defend against SQL injection
Like all programming languages, SQL is built around the use of certain characters and formatting structures to designate functions. SQL injection exploits this by using text input fields to introduce these elements into otherwise benign queries, but it can be counteracted by 'sanitising' the user input sections throughout a website or application.
Adding a layer of abstraction allows you to strip out characters that are used in SQL queries, but not whatever the input field concerns. The semicolon, for example, is used in SQL queries, but does not feature in names and is not permitted in email addresses, so anyone entering it into a text field designed to collect names or email addresses is almost certainly attempting a SQL injection attack.
A far more effective way, however, is to use parameterised queries. Rather than directly running a query based on user inputs, this method of database construction involves specifying the structure of the query beforehand and plugging the user input into predefined slots. This ensures that, even if the user does enter malicious SQL code into the text field, it will be safely wrapped within a larger query that doesn't recognise it as such.
It is also best practice to make sure that these safeguards are applied to all text input forms, rather than just those that connect to sensitive databases, as lateral movement and privilege escalation are common hallmarks of SQL injection attacks. You should also make sure that database error messages aren't displayed on public-facing websites, as these can give attackers more information about the structure of your databases to inform further attempts.
How have SQL injections been used and what impact do they have?
SQL injections have been used in multiple cyber attacks over the last 20 years, often as an initial probe before other, more sophisticated tools and techniques are deployed.
They’re nothing to scoff at, though. SQL injection can result in a stolen, deleted, or altered sensitive data. Attackers can create fake identities, change transactions, make themselves database administrators, or even go so far as to completely take over the webserver.
SQL injection attacks were used in the 2020 Freepick data breach to access 8.3 million users’ records, and in 2015's mammoth TalkTalk breach, resulting in the theft of over 150,000 customers’ personal data and a £400,000 pound fine against the firm.
According to a report from web security firm Akamai, SQL injection attacks have accounted for more than 65% of web-based attacks between November 2017 and March 2019, with the US and the UK topping the charts as the most frequently targeted countries.