“Insertion” or “injection” of a SQL query via the input data from the client to the application… SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.”
SQL Injection is an attack techniques used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
– Web Application Security Consotium
“SQL Injection is probably the most costly vulnerability in the history of software. This exploit is used to great effect by the hacking community since it is primary used to to steal sensitive data from web application, [yet it] remains one of the least understood.”
– Admichai Shulman
More Facts about SQL Injection
- SQL Injection affects applications, not just Web Applications
Any application that receives input and uses that input to solicit information from a data repository through the construction of SQL is potentially vulnerable to a SQLi attack, regardless of whether it is a web application desktop, client application or branch application, as well as whether the application is externally or internally facing.
- SQLi ranks no. 1 among CWE/SANS Top 25 Most Dangerous Software Errors (2011).
- SQL injection is responsible for 83% of successful hacking-related data breaches since 2005. — PrivacyRights.org
- Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800 – 1300 per hour.
How to Defence against SQL Injection?
- Input validation - do not trust any data from any source. Validate the information for content, length, format, and other factors prior to use.
- Parameterized statements - avoid dynamic SQL statements. Always bind data to parameters that clearly identify the data type of the bind value.
- Business rule validation - always apply business validation to input. Business validations include length, type, and expected value.
- Least privilege - only allow read only access to the data as a general rule, and other access as an exception. If a form within an application simply views the data, only call the database with a read-only database user. If adding or modifying data, call the database with a modify and add database use.
- Logging - always log access to data, modification of data, and, if necessary, access to the data.
- As a general rule, do not allow deletion - mark record for deletion and create a separate process to delete.
- Threat modelling - always threat model an application to understand access points to the database, input points to the application, and what boundaries and layers are involved through the data flow of the application.
- Error handling - do not throw detailed error messages to the screen for viewing by the user. The detailed information that is included in an error message is invaluable to an attacker providing valuable clues on how to modify the attack to allow the attack to execute without error.
More about SQL Injection
- How SQL Injection Attacks Work, Dennis Fisher. August 03, 2012.
- How to Stop SQL Injection, Rob Rachwald. January 05, 2012.
- SQL Injection – The Unknown Story, Rob Rachwald. October 26, 2011.
- Blind SQL Injection 1.0 – Attack Anatomy, Arvind Doraiswamy. October 25, 2011.
- SQL Injection: The Equal Opportunity Vulnerability, Mark Wireman. October 17, 2011.
- OWASP Appsec Tutorial Series – Episode 2: SQL Injection, Appsec Tutorial Series. February 08, 2011.
- SQL Injection Demonstrated. An InfoSec HOW-TO, InfoSec Institute. September 23, 2010.
- Passwords & Credit Card Numbers Hacked! SQL Injection Explained. Imperva Channel. July 14, 2010.
Performing SQL Injection
The SQL Injection Cheat Sheet is a good place to start.There are also many automation tool out there that can perform SQLi attack for you: SQLMap, Haviji, Damn Small SQLi Scanner, SQLNinja, Netspark Community Edition, The Mole, SpiderLabs / SQLol, SQLsus, MySQL Password Auditor, etc.
News on SQL Injection
- SQL Injection attacks jumped 69% in Q2, InfoSecurity Magazine. 03 Aug, 2012.
- Singapore University Hacked, Darren Pauli. Jan 05, 2012.
- SQL Injection Attack Hits 1 Million, Industrial Safety & Security Source. Jan 05, 2012.
- SQL Injection Attacks Spreads, SANS NewsBites. Jan 04, 2012.
- 4,000+ Sites Affected by SQL Injection Attack, SANS NewsBites. Dec 05, 2011.
- SQL injection attacks increasing in number, sophistication and potency, researchers find, Warwick Ashford. Sep 22, 2011.
- SQL Injection — by the Numbers, Imperva Channel. Sep 21, 2011.