When a client-side user searches for content on a website, logs into an account on a web application, or fills out any type of interactive form online, they are submitting data to query information from an underlying (in most cases SQL) database. At a high level, the website/web app first receives a user’s information through a designated user-input field, then structures a SQL query to store, modify or validate that information in some way, and finally returns a result which the user can view on their browser.
In many ways, these simple interactions with SQL databases embody the utility of the internet, enabling clients and hosts to exchange and mutually benefit from valuable data sets at high speeds.
Consequently, however, the user input fields which capture and submit valuable client-side information also represent direct pathways which cyber criminals can use to illegally access database information. If a website/web app fails to rigorously secure its user input fields, threat actors can exploit automatic SQL queries by structuring and submitting malicious queries of their own, inducing a database to take unauthorized actions on their behalf.
This attack vector, referred to as SQL Injection (SQLI), is a very common web security threat which has impacted dozens of high-profile websites/web apps in the past few decades. It remains an extremely attractive attack vector due to the steadily increasing volume of sensitive data that users provide to online services.
How do SQLI Attacks Work?
To carry out an SQLI attack, an attacker must first identify a vulnerable website/web application. In this case, a vulnerable website/web app can generally be considered one which does not properly validate or sanitize user input before structuring that information in a database query. A website/web app's degree of vulnerability can also be impacted by out-of-date technology; SQLI attacks are much more commonly carried out against websites/web apps with older functional interfaces.
Once a vulnerability is identified, the attacker can enter a malicious query into a vulnerable user-input field. These input fields most often include login forms (where authentication details are entered), search fields (where publicly available resources are queried), contact forms (where personal information is entered), feedback forms, and even URL parameters in some cases.
What is the Impact of an SQLI Attack?
When a website/web app executes a user-supplied SQL query against the database, the attacker can retrieve information that far exceeds normal request parameters. As a result, the extent of damage caused by these attacks tends to vary significantly based on the skill and sophistication of each individual attacker.
The most common goal of an SQLI attack is to read (access) sensitive user data in the database. Personal information, such as email addresses and phone numbers, can be stolen by the attacker and sold to malicious third parties and/or used to carry out subsequent cyber-attacks. The simplicity of this goal makes any website that stores sensitive user information, regardless of its size or reputation, a worthwhile target for motivated threat actors.
In addition, database information can be deleted outright in SQLI attacks, resulting in severe financial losses for the affected website/web app. Administrative database permissions can also be obtained, allowing the attacker to control the database. In extreme cases, the attacker can even gain complete control of the application and/or issue commands to the operating system itself.
How Can SQLI Attacks be Prevented?
To prevent SQLI attacks, websites/web apps should heavily parameterize database queries with prepared statements and include automatic input validation measures to scrutinize user input before formulating a query.
In addition, the SQLI Detection iteration of the Cloudmersive Security API can be implemented to check user-facing text input strings for SQLI attacks. This API identifies SQLI attacks and returns a Boolean (“ContainedSqlInjectionAttack”) indicating if an attack was identified from text input. The API response also contains the original input string, making it easy to remove/delete threats before they can impact the underlying database.
For more information on how the Cloudmersive Security API can protect your websites/web applications against SQL injection attacks, please do not hesitate to reach out to a member of our sales team.