What is a SQL injection attack?
You may not know what a SQL injection (SQLI) attack is or how it works, but you definitely know about the victims. Target, Yahoo, Zappos, Equifax, Epic Games, TalkTalk, LinkedIn, and Sony Pictures—these companies were all hacked by cybercriminals using SQL injections.
A SQLI is a type of attack by which cybercriminals exploit software vulnerabilities in web applications for the purpose of stealing, deleting, or modifying data, or gaining administrative control over the systems running the affected applications.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. To dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape.
Cybersecurity researchers regard the SQLI as one of the least sophisticated, easy-to-defend-against cyberthreats. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway, citing the fact that SQLI is a known, predictable attack with easily implemented countermeasures. SQLI attacks are so easy, in fact, attackers can find vulnerable websites using advanced Google searches, called Google Dorking. Once they've found a suitable target, SQLI attackers can use automated programs to effectively carry out the attack for them. All they have to do is input the URL of the target site and watch the stolen data roll in.
And yet SQLI attacks are commonplace and happen every day. In fact, if you have a website or online business, cybercriminals have likely tried using the SQLI to try and break into your website already. One study by the Ponemon Institute on The SQL Injection Threat & Recent Retail Breaches found that 65% of the businesses surveyed were victims of a SQLI-based attack.
Frequently targeted web applications include: social media sites, online retailers, and universities. Small-to-medium sized businesses are especially vulnerable as they are often not familiar with the techniques cybercriminals use in a SQLI attack and, likewise, don't know how to defend against such an attack.
With that, let's take the first step in defending against a SQL injection by educating ourselves on the topic. Here's your primer on SQL injections.
“A SQLI is a type of attack by which cybercriminals exploit software vulnerabilities in web applications for the purpose of stealing, deleting, or modifying data, or gaining administrative control over the systems running the affected applications.”
How does a SQL injection work?
Developed in the early 70s, SQL (short for structured query language) is one of the oldest programming languages still in use today for managing online databases. These databases contain things like prices and inventory levels for online shopping sites. When a user needs to access database information, SQL is used to access and present that data to the user. But these databases can also contain more sensitive and valuable data like usernames and passwords, credit card information, and social security numbers. This is where SQL injections come into play.
Put simply, a SQL injection is when criminal hackers enter malicious commands into web forms, like the search field, login field, or URL, of an unsecure website to gain unauthorized access to sensitive and valuable data.
Here's an example. Imagine going to your favorite online clothing site. You're shopping for socks and you're looking at a Technicolor world of colorful socks, all available with a click of your mouse. The wonders of technology! Every sock you see exists in a database on some server somewhere. When you find a sock you like and click on that sock, you're sending a request to the sock database, and the shopping site responds with the information on the sock you clicked. Now imagine your favorite online shopping website is constructed in a slipshod manner, rife with exploitable SQL vulnerabilities. A cybercriminal can manipulate database queries in such a way that a request for information about a pair of socks returns the credit card number for some unfortunate customer. By repeating this process over and over again, a cybercriminal can plumb the depths of the database and steal sensitive information on every customer that's ever shopped at your favorite online clothing site—including you. Taking the thought experiment even further, imagine you're the owner of this clothing site. You've got a huge data breach on your hands.
One SQLI attack can net cybercriminals personal information, emails, logins, credit card numbers, and social security numbers for millions of consumers. Cybercriminals can then turnaround and sell this personal info on the gloomiest corners of the dark web, to be used for all kinds of illegal purposes. Stolen emails can be used for phishing and malspam attacks. Malspam attacks, in turn, can be used to infect victims with all kinds of destructive malware like ransomware, adware, cryptojackers, and Trojans (e.g. Emotet), to name a few. Stolen phone numbers for Android and iOS mobile devices can be targeted with robocalls and text message spam.
Stolen logins from social networking sites can even be used to send message spam and steal even more logins for additional sites. Malwarebytes Labs previously reported on hacked LinkedIn accounts being used to spam other users with InMail messages containing bad URLs spoofed, or faked, to look like a Google Docs login page by which cybercriminals could harvest Google usernames and passwords.
“A cybercriminal can manipulate database queries in such a way that a request for information about a pair of socks returns the credit card number for some unfortunate customer.”
What is the history of SQL injections?
The SQL injection exploit was first documented in 1998 by cybersecurity researcher and hacker Jeff Forristal. His findings were published in the long running hacker zine Phrack. Writing under the moniker Rain Forest Puppy, Forristal explained how someone with basic coding skills could piggyback unauthorized SQL commands onto legitimate SQL commands and pull sensitive information out of the database of an unsecured website. When Forristal notified Microsoft about how the vulnerability impacted their popular SQL Server product, they didn't see it as a problem. As Forristal put it, 'According to them [Microsoft], what you're about to read is not a problem, so don't worry about doing anything to stop it.'
What makes Microsoft's lackadaisical response so shocking is many industries and institutions seriously depended (then and now) on the company's database management technology to keep their operations running, including retail, education, healthcare, banking, and human resources. This leads us to the next event in the SQLI history timeline—the first major SQLI attack.
In 2007, the biggest convenience store chain in the United States, 7-Eleven, fell victim to a SQLI attack. The Russian hackers used SQL injections to hack into the 7-Eleven website and use that as a stepping stone into the convenience store's customer debit card database. This allowed the hackers to then withdraw cash back home in Russia. All told, the culprits made off with two million dollars, as Wired magazine reported.
Not all SQLI attacks are motivated by greed. In another noteworthy example from 2007, cybercriminals used SQLI to gain administrative control over two US Army-related websites and redirect visitors to websites with anti-American and anti-Israeli propaganda.
The 2008 MySpace data breach ranks as one of the largest attacks on a consumer website. Cybercriminals stole emails, names, and partial passwords of almost 360 million accounts. And this is why we don't reuse passwords from one site to the next.
The title for most egregious lack of security goes to Equifax. The 2017 Equifax data breach yielded extremely personal information (i.e., names, social security numbers, birth dates, and addresses) for 143 million consumers. For an organization that acts as the gatekeepers of information for every single American, except those living off the grid, you'd think they would take precautions against a basic SQLI attack. Before the data breach occurred, a cybersecurity research firm even warned Equifax they were susceptible to a SQLI attack, but the credit bureau took no action until it was too late.
In what ranks as the creepiest hack in history, a 2015 SQLI attack on toy manufacturer Vtech led to a breach of nearly five million parents and 200,000 children. Speaking with Motherboard, the online multimedia publication, the hacker responsible claimed they had no plans for the data and did not publish the data anywhere online. Conversely, the hacker also explained that the data was very easy to steal and someone else could have gotten to it first. Cold comfort indeed.
Moving forward to today, the SQLI attack is still a thing. Every three years the Open Web Application Security Project (OWASP) ranks the Top 10 Most Critical Web Application Security Risks. In the most recent 2017 edition, the SQLI attack ranked as number one.
Beyond the longevity of the SQLI attack, what's interesting is that SQLI attacks haven't changed or evolved in any way. SQLI attacks work and will continue to work until people change their attitudes about cybersecurity. Be that change.
Latest news on SQL injections
How do SQL Injections affect my business?
As reported in our Cybercrime Tactics and Techniques report, cyberattacks (of all kind) on businesses went up 55% in the second half of 2018, while attacks on individual consumers rose only 4%. The stats are not surprising. Businesses with crummy security present criminals with a soft target, holding a treasure trove of valuable data worth millions.
Conversely, a business at the center of a data breach can expect to pay out millions. An IBM study found the average cost of a data breach, including remediation and penalties, to be $3.86 million. The LinkedIn data breach mentioned previously ended up costing the business networking site $1.25 million in an out-of-court settlement.
After their data breach, Target was forced to pay the largest amount on record—$18.5 million—to settle investigations brought on by multiple states. This was in addition to the $10 million Target paid to settle a class action lawsuit brought on by consumers.
Granted, these are huge data breaches affecting millions of consumers. However, small-to-medium sized businesses can still expect to payout $148 for each stolen consumer record.
The moral of the story? Take your security seriously and avoid being a 'Target' for cybercriminals.
How can I protect against SQL injections?
All this hand wringing aside, you're here because you know SQL injections are a serious threat. Now, let's do something about it. Here's some tips for protecting your business against SQL injection attacks.
Update your database management software. Your software is flawed as it comes from the manufacturer. This is a fact. There's no such thing as bug-free software. Cybercriminals can take advantage of these software vulnerabilities, or exploits, with a SQLI. You can protect yourself by just patching and updating your database management software.
Enforce the principle of least privilege (PoLP). PoLP means each account only has enough access to do its job and nothing more. For example, a web account that only needs read access to a given database shouldn't have the ability to write, edit or change data in any way.
Use prepared statements or stored procedures. As opposed to dynamic SQL, prepared statements limit variables on incoming SQL commands. In this way, cybercriminals can't piggyback malicious SQL injections onto legitimate SQL statements. Stored procedures similarly limit what cybercriminals are able to do by storing SQL statements on the database, which are executed from the web application by the user.
Hire competent, experienced developers. SQLI attacks often result from sloppy coding. Let your software developers know in advance what you expect as far as security is concerned.
What if my personal information was stolen in a data breach? You should take a look at our data breach checklist. There you'll learn all about cleaning up and staying safe after a SQLI attack data breach impacts you.
Visit OWASP. The Open Web Application Security Project, OWASP for short, is the leading authority on web applications and they have lots of additional reading on how to prevent SQL injections.
And if you just can't get enough SQL injection in your life, visit the Malwarebytes Labs blog for all the latest happenings in the world of cyberthreats and cybersecurity.
SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.
An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization (Open Web Application Security Project) lists injections in their OWASP Top 10 2017 document as the number one threat to web application security.
How and Why Is an SQL Injection Attack Performed
To make an SQL Injection attack, an attacker must first find vulnerable user inputs within the web page or web application. A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query. The attacker can create input content. Such content is often called a malicious payload and is the key part of the attack. After the attacker sends this content, malicious SQL commands are executed in the database.
Types Of Sql Injection Attack
SQL is a query language that was designed to manage data stored in relational databases. You can use it to access, modify, and delete data. Many web applications and websites store all the data in SQL databases. In some cases, you can also use SQL commands to run operating system commands. Therefore, a successful SQL Injection attack can have very serious consequences.
- Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.
- SQL lets you select and output data from the database. An SQL Injection vulnerability could allow the attacker to gain complete access to all data in a database server.
- SQL also lets you alter data in a database and add new data. For example, in a financial application, an attacker could use SQL Injection to alter balances, void transactions, or transfer money to their account.
- You can use SQL to delete records from a database, even drop tables. Even if the administrator makes database backups, deletion of data could affect application availability until the database is restored. Also, backups may not cover the most recent data.
- In some database servers, you can access the operating system using the database server. This may be intentional or accidental. In such case, an attacker could use an SQL Injection as the initial vector and then attack the internal network behind a firewall.
There are several types of SQL Injection attacks: in-band SQLi (using database errors or UNION commands), blind SQLi, and out-of-band SQLi. You can read more about them in the following articles: Types of SQL Injection (SQLi), Blind SQL Injection: What is it.
To follow step-by-step how an SQL Injection attack is performed and what serious consequences it may have, see: Exploiting SQL Injection: a Hands-on Example.
Simple SQL Injection Example
The first example is very simple. It shows, how an attacker can use an SQL Injection vulnerability to go around application security and authenticate as the administrator.
Nov 16, 2013 Put in startergui and thousands of other assets to build an immersive game or experience. Select from a wide range of models, decals, meshes, plugins, or audio that help bring your imagination into reality. Animations for games are made using roblox's animation editor plug-in. If you want to make a cutscene for a game, you should go into the plug-in section of the catalog and download clonetrooper1019's cutscene editor. Those are ways to make animations. Apr 16, 2019 You can create and edit the Action by clicking the exclamation point button. If you want to get rid of it, then hold left shift and click the ‘X’ button that appears above it. Data: the arbitrary data for nodes is more important when you make your own custom interface, so suffice it to say that this is just a container for data. Dec 30, 2014 In this tutorial you will learn how to make cutscene in Roblox Studio. Make sure you SUBSCRIBE, LIKE and SHARE this video. How to make cutscenes in roblox game.
The following script is pseudocode executed on a web server. It is a simple example of authenticating with a username and a password. The example database has a table named
users with the following columns:
Major Types Of Sql Injection
These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the input in a way that would alter the SQL statement executed by the database server. For example, they could use a trick involving a single quote and set the
passwd field to:
As a result, the database server runs the following SQL query:
Because of the
OR 1=1 statement, the
WHERE clause returns the first
id from the
users table no matter what the
password are. The first user
id in a database is very often the administrator. In this way, the attacker not only bypasses authentication but also gains administrator privileges. They can also comment out the rest of the SQL statement to control the execution of the SQL query further:
Example of a Union-Based SQL Injection
One of the most common types of SQL Injection uses the UNION operator. It allows the attacker to combine the results of two or more SELECT statements into a single result. The technique is called union-based SQL Injection.
The following is an example of this technique. It uses the web page testphp.vulnweb.com, an intentionally vulnerable website hosted by Acunetix.
The following HTTP request is a normal request that a legitimate user would send:
artist parameter is vulnerable to SQL Injection. The following payload modifies the query to look for an inexistent record. It sets the value in the URL query string to
-1. Of course, it could be any other value that does not exist in the database. However, a negative value is a good guess because an identifier in a database is rarely a negative number.
In SQL Injection, the
UNION operator is commonly used to attach a malicious SQL query to the original query intended to be run by the web application. The result of the injected query will be joined with the result of the original query. This allows the attacker to obtain column values from other tables.
The following example shows how an SQL Injection payload could be used to obtain more meaningful data from this intentionally vulnerable site:
How to Prevent an SQL Injection
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms. They must remove potential malicious code elements such as single quotes. It is also a good idea to turn off the visibility of database errors on your production sites. Database errors can be used with SQL Injection to gain information about your database.
If you discover an SQL Injection vulnerability, for example using an Acunetix scan, you may be unable to fix it immediately. For example, the vulnerability may be in open source code. In such cases, you can use a web application firewall to sanitize your input temporarily.
To learn how to prevent SQL Injection attacks in the PHP language, see: Preventing SQL Injection Vulnerabilities in PHP Applications and Fixing Them. To find out how to do it in many other different programming languages, refer to the Bobby Tables guide to preventing SQL Injection.