How to Protect website from SQL Injection Attack
How to Protect website from SQL Injection Attack: SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.
By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL Injection can also be used to add, modify and delete records in a database, affecting data integrity.
How SQL Injection works
In order to fire the sql injection command we need to find input location. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
# Define POST variables uname = request.POST['username'] passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” # Execute the SQL statement database.execute(sql)
The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.
The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the password field to
password’ OR 1=1.
This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’
An attacker can also comment out the rest of the SQL statement to control the execution of the SQL query further.
-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite ' OR '1'='1' -- ' OR '1'='1' /* -- MySQL ' OR '1'='1' # -- Access (using null characters) ' OR '1'='1' %00 ' OR '1'='1' %16
Once the query executes, the result is returned to the application to be processed, resulting in an authentication bypass.
What’s the worst an attacker can do with SQL?
SQL is a programming language designed for managing data stored in an RDBMS, therefore SQL can be used to access, modify and delete data. Furthermore, in specific cases, an RDBMS could also run commands on the operating system from an SQL statement.
We need to understand below some tips during SQL injection Attack:
- An attacker can use SQL Injection to bypass authentication or even impersonate specific users.
- One of SQL’s primary functions is to select data based on a query and output the result of that query. An SQL Injection vulnerability could allow the complete disclosure of data residing on a database server.
- Since web applications use SQL to alter data within a database, an attacker could use SQL Injection to alter data stored in a database.
- SQL is used to delete records from a database. An attacker could use an SQL Injection vulnerability to delete data from a database.
- Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating system commands on the database server.
The anatomy of an SQL Injection attack
An SQL Injection needs just two conditions to exist.
1) a relational database that uses SQL.
2) a user controllable input which is directly used in an SQL query.
In the example below, We will assume that we want to exfiltrate data using SQL Query. we will supply proper query in the url to filter the database data. We can filter data using UNION operator. This forces the application to return data within the HTTP response – this technique is referred to as union-based SQL Injection.
The following is an example of such a technique. This can be seen on testphp.vulnweb.com, an intentionally vulnerable website hosted by Acunetix.
The following HTTP request is a normal request that a legitimate user would send.
GET http://testphp.vulnweb.com/artists.php?artist=1 HTTP/1.1 Host: testphp.vulnweb.com
Although the above request looks normal, the artist parameter in the GET request’s query string is vulnerable to SQL Injection.
All SQL Querys fire after the -1. In SQL Injection, the UNION operator is commonly used to allow an attacker to join a malicious SQL query. The result of the injected query will be joined to the result of the original query.
GET http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1, 2, 3 HTTP/1.1 Host: testphp.vulnweb.com
The above example shows how attacker can be able to extract vulnerable tables. The following example shows how an SQL Injection payload could be used to exfiltrate data from this intentionally vulnerable site.
GET http://testphp.vulnweb.com/artists.php?artist=-1 UNION SELECT 1,pass,cc FROM users WHERE uname='test' HTTP/1.1 Host: testphp.vulnweb.com