SQL Injection
The most common and successful injection attack technique
Happens when the attacker injects SQL queries directly into the input form bypassing the front end and executing directly on the SQL Database on the backend
Can also try this in the URL itself, passing authentication credentials by changing the URL
Three Main Categories
In-band SQL Injection
Attacker uses the same communication channel to perform and retrieve the results of the attack
Most commonly used type
Examples
Union Query attack
Error-based - enter poorly constructed statements in an effort to get the database to respond with table names and other information in error messages
Tautology - trick the database by providing something that is already true to try to sneak by
Piggybacking - add malicious request on the back of a legitimate one
Out-of-band SQL injection
Uses different communication channels for the attack and results
More difficult to pull off
Blind/Inferential
Attacker knows the database is vulnerable to injection
Error messages and screen returns don't come back to the attacker
A lot more guesswork and trial and error
Takes a long time to pull off
Remediation
Prepared Statements (With Parameterized Queries):
Developers write the SQL query and then any user inputs are added as a parameter afterwards
This ensures that the SQL code structure doesn't change and the database can distinguish between the query and the data
Input Validation
Uses an allow list to restrict input to only certain strings, can filter the characters you want to allow or disallow
Escaping User Input
Prepends a backlash to character such as
' " $ \to make them be parsed as regular strings and not a special character
Tools
Sqlmap
sqlninja
Havij
SQLBrute
Pangolin
SQLExec
Absinthe
BobCat
Last updated