SQL injection
SQL injection (SQLi) is a type of injection vulnerability in which an attacker can inject malicious SQL strings, also known as payloads, into a target application and then control the web application's backend database. Because an SQL injection is likely to affect any website or web application that utilizes SQL databases and commands, this vulnerability is ranked as one of the oldest, most critical, and most dangerous of web vulnerabilities.
The impact of an SQL injection attack on a business depends on the depth of its exploitation. A successful SQLi attack can allow unauthorized access to user lists, deletion of all data, and, in some cases, the attacker gains access to administrative rights to the database, all of which are very crucial to a business.
The cost of an SQL injection vulnerability depends on several factors; when estimating the cost of damage done by an SQL injection attack, it is important to consider the following factors:
- Disclosure of user credentials
- Disclosure of credit card details
- Disclosure of phone numbers
- Disclosure of user location
An SQL injection vulnerability in the right circumstances can be used to bypass the target application's authentication and authorization mechanisms; it can also be used to add, delete, modify, and update database contents, hence, affecting data integrity.
A basic example of an SQL injection attack is similar to the URL where an e-commerce store searches for an item from the database: http://www.store.com/items/items.asp?itemid=111.
The backend of the application query looks something like the following:
SELECT ItemName, ItemDescription FROM Items WHERE ItemNumber = 111
So, if a query such as 1=1 is appended after the target URL, the application will always return a positive response. Now, for instance, itemNumber991 is for a product only accessible to certain users with certain privileges. But if 1=1 is appended with itemid, the product response will be displayed: http://www.store.com/items/items.asp?itemid=111 or 1=1.
The query will be reflected in the database as follows:
SELECT ItemName, ItemDescription FROM Items WHERE ItemNumber = 111 or 1=1
Attackers can also use incorrectly filtered characters to change SQL commands, which include using a semicolon to separate two fields. As in the following URL string, we can easily dump database tables: http://www.store.com/items/iteams.asp?itemid=111; DROP TABLE Users.
This will change the database string as follows:
SELECT ItemName, ItemDescription FROM Items WHERE ItemNumber = 111; DROP TABLE USERS
Once the attacker executes the SQL query, the response is returned to the application processed, which results in authentication bypass and the disclosure of data.