SQL INJECTION

SQL injection, also known as SQLI, is a common attack vector that uses malicious SOL code for backend
database manipulation to access information that was not intended to be displayed. This information may
include any number of items, including sensitive company data, user lists or private customer details.
SQL stands for structured query language - a type of computer language which is used to communicate
with databases. These can be used for legitimate purposes, such as retrieving details from large data sets,
or as a cybercrime tool.
Types of SQL Injections
SQL injections fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-
band SQLi. You can classify SQL injections types based on the methods they use to access backend data
and their damage potential.

In-band SQLi
The attacker uses the same channel of communication to launch their attacks and to gather their results.
In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There
are two sub-variations of this method:

 Error-based SQLi: the attacker performs actions that cause the database to produce error
messages. The attacker can potentially use the data provided by these error messages to gather
information about the structure of the database.
 Union-based SQLi; this technique takes advantage of the UNION SQL operator, which fuses
multiple select statements generated by the database to get a single HTTP response. This response
may contain data that can be leveraged by the attacker.
Inferential (Blind) SQLi
The attacker sends data payloads to the server and observes the response and behavior of the server to
learn more about its structure. This method is called blind SQLi because the data is not transferred from
the website database to the attacker, thus the attacker cannot see information about the attack in-band.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically
slower to execute but may be just as harmful. Blind SQL injections can be classified as follows:

 Boolean—that attacker sends a SQL query to the database prompting the application to return a
result. The result will vary depending on whether the query is true or false. Based on the result,
the information within the HTTP response will modify or stay unchanged. The attacker can then
work out if the message generated a true or false result.
 Time-based—attacker sends a SQL query to the database, which makes the database wait (for a
period in seconds) before it can react. The attacker can see from the time the database takes to
respond, whether a query is true or false. Based on the result, an HTTP response will be generated
instantly or after a waiting period. The attacker can thus work out if the message they used
returned true or false, without relying on data from the database.
Out-of-band SQLi
The attacker can only carry out this form of attack when certain features are enabled on the database
server used by the web application. This form of attack is primarily used as an alternative to the in-band
and inferential SQLi techniques.

Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and
gather information, or when a server is too slow or unstable for these actions to be performed. These
techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an
attacker.
SQL injection examples
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different
situations. Some common SQL injection examples include:

 Retrieving hidden data, where you can modify an SQL query to return additional results.
 Subverting application logic, where you can change a query to interfere with the application's
logic.
 UNION attacks, where you can retrieve data from different database tables.
 Examining the database, where you can extract information about the version and structure of the
database.
 Blind SQL injection, where the results of a query you control are not returned in the application's
responses.
How to prevent SQL injection attacks
The first step is to identify if your business is vulnerable, is by attempting to gain access yourself. You
can achieve this by writing your own code, or by using an automated SOL injection tool to find any
vulnerabilities.
Once you know how significant the threat is, work through the following steps to help prevent an SQL
injection attack and stop hackers in their tracks:

 Update and patch any vulnerabilities in your databases that a hacker may be able to exploit using
SQL injection; Such as error message settings, for example. You may also want to consider
downloading a web application firewall to filter out malicious data
 Use input validation for all user-submitted data. This can be done by utilising a database
management system to ensure that any dangerous characters, such as the apostrophe, are not
passed to an SQL query in data. Also, consider sanitising all data by filtering it by context. For
example, email address fields should not allow any characters that do not appear in email
addresses, phone numbers should only allow digits, etc.
 Modern web application firewalls are also often integrated with other security solutions. From
these, a WAF can receive additional information that further augments its security capabilities.
Imperva cloud-based WAF uses signature recognition, IP reputation, and other security
methodologies to identify and block SQL injections, with a minimal amount of false positives.
The WAF’s capabilities are augmented by IncapRules - a custom security rule engine that enables
granular customization of default security settings and the creation of additional case-specific
security policies.