EVERYTHING YOU NEED TO KNOW ABOUT SQL INJECTION ATTACKS & TYPES, SQLi CODE EXAMPLE, VARIATIONS, VULNERABILITIES & MORE

SQL Injection Attacks are one of the most popular attacks against web servers, websites and web applications. A fairly popular website can expect to receive anywhere between 80 and 250 SQL injection attacks on a daily basis and these figures can easily reach thousands when an SQL vulnerability is disclosed to the public.

This article aims to help network engineers, administrators, security experts and IT professionals understand what an SQL injection is by taking you step-by-step on how an HTTP SQL injection attack is executed using real code. 

Here is a list of topics we’ll cover:

• SQL Injection Attacks – Basics
• Example of an SQL Injection Vulnerability
• Exploiting SQL Injection Vulnerabilities
• Variations of SQL Injection Attacks
• In-Band SQL Injection
• Blind SQL Injection
• Out-of-Band SQL Injection
• Summary

Additional related articles:

• What is Cross-site Scripting (XSS)? How does XSS Work? Different Types of XSS Attacks
• Understanding, Avoiding & Protecting Against Cross Site Request Forgery Attacks
• Acunetix Online: Run a Free Scan for Network and Web Vulnerabilities. Detect, Prioritise and Manage Security Threats
• Automate Web Application Security - Why, How & The Necessary Tools
• Creating a Cross-site Scripting (XSS) Attack. Understanding How XSS Attacks Work & Identifying Web Vulnerabilities

SQL INJECTION ATTACKS - BASICS

SQL Injection, or SQLi for short, refers to an attack vector that exploits a web application by abusing the inherent trust between the web application and the database. An SQL injection attack would allow an attacker to perform malicious actions on the database through the use of specially crafted SQL commands. SQL is the most commonly used database query language, making it ideal for an attacker to target.

Since SQL Injection attacks can be performed against a wide array of applications, this attack is one of the most widely common and most critical of web vulnerabilities. So much so that injection attacks, such as SQL Injection, have placed first in OWASP’s Top 10 list, several times in a row.

SQL Injection attacks can allow an attacker to extract, modify, add and delete data from a database, in turn affecting data confidentiality, integrity and availability (since an attacker could potentially delete data and disrupt operations). In addition, an SQL Injection attack can be used as a springboard to escalate the attack.

EXAMPLE OF AN SQL INJECTION VULNERABILITY

A web application would typically communicate with a variety of back-end systems, including a database. Let’s take an HTML form, which inserts values into a database, as an example. 

Once the form is filled out and submitted, an HTTP request (usually a POST request) is sent to the web application, where the input values are directly included into the SQL statementthat will insert these values into the database. 

The only way an SQL Injection vulnerability could occur is if the web application trusts the user’s input without parameterizing it and using prepared statements. This is done by instructing the database that a certain part of the query should be executed while the rest is to be treated as the user’s input. 

Continue Reading ...