NEW

2024 True Cost of a Security Breach

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

SQL Injection (SQLi) Attacks: Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

What Is SQL Injection (SQLi)?

A SQL injection is a common hacking technique which can compromise a database. By "injecting" an SQL command or code fragment into a legitimate data entry field (like a password field), attackers can use SQL to communicate directly with a database. This works because SQL does not differentiate between the control and data planes.

A successful exploit can trick the database into sharing restricted data, modify data, execute administration operations on the database (like shutting down a DBMS such as Db2), recover the content of a given file present on the DBMS file system, and even issue commands to the operating system.

SQLi is a type of code injection attack.

Examples of SQL Injection Attacks

In-Band SQLi

An attacker uses the same communication channel, such as a database error or UNION SQL operator, to both launch an attack and collect results.


Inferential (Blind) SQLi

By sending payloads to a server, an attacker can observe a web application's response and reconstruct the database based on the server's behavior.


Out-of-Band SQLi

An attacker can extract data from an outbound DNS or HTTP protocol. This type of attack is typically used when attackers are unable to access a database for an in-band SQLi attack.


Protection Against SQLi Attacks

Here are some ways to protect against SQL injection attacks:

  1. Use parameterized queries, validate user-submitted input, and use stored procedures
  2. Avoid dynamic SQL
  3. Block known malicious input
  4. Sanitize inputs

Limiting the ways that queries are made to the database can close loopholes that attackers use. Stored procedures combat SQL injection attacks by limiting the types of statements that can affect the database.

One approach is to enforce strict input validation by only accepting characters from a list of safe values (also known as whitelisting). Another approach rejects any input that matches a list of potentially malicious values (also called blacklisting).

Blocking everything except approved entries can be very effective, but is difficult to implement and requires continual maintenance. Attempting to block malicious inputs is generally seen as an ineffective technique because there are many ways to fool the filters looking for malicious code. For example, attackers can:

  • Use upper and lowercase letters to bypass case-sensitive filters
  • Use the escape character to bypass filters
  • Use different types of encoding to avoid detection

These are just a few examples of the many methods used to try and bypass these types of defenses.

Detection of this attack can be enhanced using decryption. This is because SQL Injection attacks usually originate from HTTPs over port 443 with encryption protocols such as TLS. Additionally decrypted SQL traffic can be used for detection of SQL injection style attacks. For that reason, it's critical that security tools have decryption capabilities for all common encryption protocols including TLS 1.3 and Kerberos.


SQL Injection History

Jeff Forristal, under the alias Rain Forrest Puppy, is credited with being the first to document SQL injection with his posts in Phrack Magazine in December of 1998. At the time, he was writing about how to hack into Windows NT servers when he discovered that inputting certain commands could force a server to give up information shared on it. Fifteen years after its initial disclosure, SQLi remains among the top vulnerabilities.