Introduction to SQL Injection Attack
Whenever the application interacts with the database server and requests for some data then the attackers may interfere in between and get access to those things and the data that is being retrieved or being sent from and to the database server is called an Injection attack in SQL. In case, if the data transfer involves sharing of some sensitive data like the information about some third parties, personal data, passwords, credit card details, etc then it becomes extremely dangerous if it gets access by some attacker and may lead to a bad impression of the company’s reputation and also financial loses.
Besides this, the attacker may not only get access to the data but can also be able to modify the data and get the continuous persistent access to the back end database of the organization for a long-duration which might cause huge losses to be incurred by the organization later. In this article, we will see about some of the vulnerabilities that can be caused due to SQL injection attacks and get known with some of the possible injection attacks and the preventive measures that should be taken o maintain the security of applications from the attacks like this.
Different Injection Attacks
When an unauthorized person and get access and modify the contents of the database that it is not supposed to then this type of attack that compromises the security of sensitive and private contents of the database is called as injection attacks as the attacker tries to change the query statements and then get the access to it using it. Many of the recent attacks and breaches of the data from the database has been proved to be the result of the Injection attacks and this needs to be seriously taken care of in every application.
Some of the types or examples of the SQL injection attacks, techniques and vulnerabilities include as specified below:
1. Examining the Database
This type of injection attack involves getting to know about the details of the version of the SQL that is being used by the application and also the structure of the database including tables and column details which will help the attacker to get know your database and then further find new ways to exploit it.
For example, in many of the database management systems for relational data their exist a schema named information_scheme which stores the details of the tables and its structure. This type of information can easily be retrieved by executing the following query statement.
SELECT * FROM information_schema.tables
2. Subverting Application Logic
This type of attack involves changing the application logic to change its behavior permanently by simply modifying the resultset retrieved from the query request sent to the database server.
For an example of subversion of application logic using the query changes in injection attacks let us consider a simple example where we are asked for the name and password of the user whenever he/ she tries to log in to our application. For instance, let us consider that the user with name “abc” and password “xyz” tries to log in and internally we have made the use of the select query statement to verify the user’s credentials in the following manner.
SELECT * FROM user_information where name="abc" and password ="xyz";
And if the result obtained from the above query is greater than zero then our application permits access to out application to that user. The attacker may simply add after the specification of the name the double dash and space (– ) which is for the comment specification in SQL as shown below.
SELECT * FROM user_information where name="abc"-- " and password ="xyz";
This will result in the execution of the query that finds out the record whose name is abc. The attacker can simply log in with name abc without mentioning any password and he will get access to the application straight away.
3. UNION Attacks
Using this technique for injection attacks the attacker can retrieve some additional contents from the database along with the resultset of the current request being made. For instance, consider that the user is trying to retrieve the list of his / her contacts the using UNION clause appending to the original query statement the attacker may be able to find out the adjoining table details like password details and so which can hamper the security and unauthorized access of application by the attacker in future.
4. Retrieving Hidden Data
This type of attack involves when there are no preventive measures taken against the SQL injections by the application.
Let us see this technique simply by considering an example of online shopping where the customer or user enters the search string and searching for the particular product say for the cartwheel and the URL that generates for that request is somewhat like following.
And internally check for items takes place using query shown below and the resultant is sent back to the user that satisfies its requirements.
SELECT * FROM shopping WHERE items = 'cartwheel';
And the attacker simply changes the URL to the following that includes the addition of OR and a condition that will always result to true as shown below.
And this change by attacker leads to following query construction.
SELECT * FROM shopping WHERE items = 'cartwheel' OR 1=1;
Which will result in the items that will include the list of all items even those to which the customer should not be accessed.
Prevention of SQL Injection Attacks
Most of the above-mentioned SQL injection attacks can simply be prevented by using the prepared statements than the concatenated strings for building the query statements in your application.
For example, if you are creating the SQL statements in the following manner in your application.
String queryString = "SELECT * FROM items WHERE object = '"+ requiredObject + "'";
Statement sqlStat = connection.createStatement();
ResultSet finalResult = sqlStat.executeString(queryString);
then simply replace it with the following coding pattern -
PreparedStatement sqlStat = connection.prepareStatement("SELECT * FROM items WHERE object = ?");
ResultSet finalResult = sqlStat.executeString();
When an unauthorized person get access and modify the contents of the database that it is not supposed to then this type of attack that compromises the security of sensitive and private contents of the database is called as injection attacks as the attacker tries to change the query statements and then get the access to it using it. We can prevent this simply by using prepared statements instead of concatenated strings for specifying our query statements in our applications.
This is a guide to SQL Injection Attack. Here we discuss the introduction, different injection attacks and prevention respectively. You may also have a look at the following articles to learn more –