SQL Injection(SQLi) is websecurity loop hole which can be exploited by attackers to modify the query which the application sends to RDBMS for execution. An attacker may be able to view/modify/delete data without any authorization. Simialar to XSS attack, untrusted user input if used in queries can lead to SQLi
SQL Injection examples
- Using comment indicator -- :In ecommercce website if the user wants to view soundbars the follwoing get request url https://not-seucre-against-sqli.com/products?type=soundbar would is triggered and let us say this leads to following query being sent from application server to rdbms.
SELECT * FROM products WHERE type = 'soundbar' AND available = 'yes'An attacker can construct an SQL injection and modify the query being executed in RDBMS by the following url https://not-seucre-against-sqli.com/products?type=soundbar'-- . This would lead to execution of query
SELECT * FROM products WHERE type = 'soundbar'--' AND available = 'yes'since double dash -- is a comment indicator in SQL effectively all products will be returned and displayed to user, even the once which are not avaliable.
- UNION attack. If a web application is vulnerable to SQLi and results of query are returned by application then UNION key word can be used for SQLi union attack. The UNION operator is used to combine the result-set of two or more SELECT statements. For instance if the user input soundbar leads to the following query being fired in back end.
then SQLi UNION attack can be created by user inputSELECT name, desc FROM product_master WHERE type = 'soundbar'
Read more https://portswigger.net/web-security/sql-injection/union-attacks . This post explains how SQLi can be used to ensure that individual queries return the same number of coumns and data type in each column is compatible between each query. These two are conditions are necessary for UNION to work. Note that union attack can also be used for examining the database.' UNION SELECT user_name, pwd FROM user_master-- - Blind SQL attack. In blind sql attack the user does not receive direct results of sql query. While user may not receive the results of the query yet the application response may change if
- injected sql leads to no rows being returned on condition(part of injected sql) being false. if no rows returned the app response to user might change , hence attacker can infer the condtion is true or false.
- injected sql leads to sql error on a condition being true. the sql error may lead to response change(eg error page is shown)
- injected sql leads to time delays in response on a condition being true. this time delay will indicate of condtion is true. hence attacker can check if there is a time delay in app response.
- in case of asynchnous lookup all the above techniques will not work as there no absolutely no change in response or time delay. so the solution is triggering dns lookup conditionally (condition is part of injected sql). Detecting this dns lookup can help in detecting SQLi loophole . Read more https://portswigger.net/web-security/sql-injection/blind and https://portswigger.net/web-security/sql-injection/cheat-sheet.
Preventing SQL injection
SQLi can be blocked via parameterized queries / prepared statements.
Read more
https://portswigger.net/web-security/sql-injection/examining-the-database (union attack can be used for examining the database).