Using SQL injection, attackers can perform unauthorized database commands on a victim's SQL database.
After reading this article you will be able to:
Related Content
Web application security?
Cross-site request forgery
What is a data breach?
Buffer overflow attack
What is the OWASP Top 10?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Structured Query Language (SQL*) Injection is a code injection technique used to modify or retrieve data from SQL databases. By inserting specialized SQL statements into an entry field, an attacker is able to execute commands that allow for the retrieval of data from the database, the destruction of sensitive data, or other manipulative behaviors.
With the proper SQL command execution, the unauthorized user is able to spoof the identity of a more privileged user, make themselves or others database administrators, tamper with existing data, modify transactions and balances, and retrieve and/or destroy all server data.
In modern computing, SQL injection typically occurs over the Internet by sending malicious SQL queries to an API endpoint provided by a website or service (more on this later). In its most severe form, SQL injection can allow an attacker to gain root access to a machine, giving them complete control.
*SQL is a programming language used to maintain most databases.
Imagine a courtroom in which a man named Bob is on trial, and is about to appear before a judge. When filling out paperwork before the trial, Bob writes his name as “Bob is free to go”. When the judge reaches his case and reads aloud “Now calling Bob is free to go”, the bailiff lets Bob go because the judge said so.
While there are slightly different varieties of SQLi, the core vulnerability is essentially the same: a SQL query field that is supposed to be reserved for a particular type of data, such as a number is instead passed unexpected information, such as a command. The command, when run, escapes beyond the intended confines, allowing for potentially nefarious behavior. A query field is commonly populated from data entered into a form on a webpage.
Let’s look at at a simple comparison between normal and malicious SQL statements:
In this normal SQL query, the studentId string is passed into a SQL statement. The goal is to look through the list of students for a student that matches the studentId entered. Once found, that student’s record will be returned. Put simply, the command says “go find this user and give me their data”.
The code might look something like this:
studentId = getRequestString("studentId");
lookupStudent = "SELECT * FROM students WHERE studentId = " + studentId
If a student enters a student ID of 117 inside a webpage form labelled 'Please enter your student ID number'
the resulting SQL query will look like:
SELECT * FROM students WHERE studentId = 117;
This command will return the record for the particular student with a studentId, which is what the developer who wrote the API expects to have happen.
In this example, an attacker instead enters a SQL command or conditional logic into the input field, he enters a student ID number of:
Where normally the query would search the database table for the matching ID, it now looks for an ID or tests to see if 1 is equal to 1. As you might expect, the statement is always true for every student in the column, and as a result, the database will return all data from the students table back to the attacker making the query.
SELECT * FROM students WHERE studentId = 117 OR 1=1;
SQLi works by targeting a vulnerable Application Programming Interface or API. An API in this case is the software interface through which a server receives and responds to requests.
Commonly used tools exist that allow a malicious actor to automatically search through a website looking for forms, and then attempt to input various SQL queries that may generate a response that the website’s software developers did not intend in order to exploit the database.
SQL injections are easy to implement, and interestingly, also fairly easy to prevent given the proper development practices. The reality is more murky, as tight deadlines, inexperienced developers, and legacy code often result in variable code quality and security practices. A single vulnerable field on any form or API endpoint across a website that has access to a database may be sufficient to expose a vulnerability.
There are number of methods for reducing the risk of a data breach due to SQL injection. As a best practice, several strategies should be utilized. Let’s explore a few of the more common implementations:
In order to circumvent security measures, clever attackers will sometimes implement multi-vector attacks against a targeted website. While a single attack may be mitigated, it can also become the focus of attention for database administrators and information security teams. DDoS attacks, DNS hijacking and other methods of disruption are sometimes used as a distraction to implement sweeping SQL injection attacks. As a result, a comprehensive threat mitigation strategy provides the widest range of protection. Cloudflare’s web application firewall, DDoS mitigation and DNS security comprise core elements of a holistic security strategy.