SQL Injection: How to Detect and Prevent Them in 2022

Jaime E. Love

How to Detect and Prevent Them in 2022


SQL injection is a form of attack on your database that allows the attacker to
access, modify, or delete data without authorization. In severe cases, the
attack is escalated to reach servers to harm the underlying structure or
initiate a DDoS attack.

SQL injections are typically executed from the front-end or the publicly
visible face of a website or application. In general, the attacker finds
vulnerabilities in a web application to input SQL queries in a public forum on
the web page and initiate the attack.

Types of SQL Injection

Depending on the vulnerability, three different types of SQL injections are
executed to access sensitive data:

1. In-Band SQL Injection

The simplest form of in-band SQL injection involves the attacker getting a
direct response from the database as an output of a modified query. Assume
that a vulnerability exists in the form of a query that returns the personal
data of specific users. The attacker upon finding the vulnerability can modify
the input to insert a
wildcard character
to generate data of every individual available on the database.

A subset of in-bank SQL injection is an error-based SQL injection that lets
the attacker know the structure of the database to initiate more suitable

2. Inferential SQL Injection

Inferential SQL injection is a blind SQL injection that doesn’t return the
data to the attacker in a tabular form. The attacker is forced to ask the
database yes-no questions (Boolean) to understand the nature of the data
available. This kind of attack is quite challenging to execute because of the
computation power and time required, but not impossible.

Relevant Reading

3 ways to keep your Tech business safe 

The typical usage of blind SQL injection is password extraction. The attacker
keeps asking the database TRUE FALSE questions to formulate the password
string for a particular username.

 3. Out-of-Band SQL Injection

Out-of-band SQL injections attacks are executed though outbound channels like
DNS and HTTP protocols. The attacker might execute file operation functions (master..xp_dirtree,
load_file()), or connection functions (UTL_HTTP.request, DBMS_LDAP.INIT) to
get access to the database.

A listening server controlled by the attacker sits idly while the malicious
SQL commands are executed. The attacker, upon getting access, processes common
information for the listening server to gather the data.

How to Detect and Prevent SQL Injection Attacks

Detecting a SQL injection is not very difficult as the attacks are often
executed by the means of trial and error and take a long time to initiate.

1. Routine Database Audits

SQL database audits are systematic and strategic tracking and logging of
specific events. Auditing databases include recording information about user
actions and system anomalies by the means of automation or manual
intervention. Routine database audits may expose:

  • Common object access attempts like login and database management attempts.
  • Personal data modification attempts.
  • Database object unauthorized access attempts.
  • Administrative access attempts.

The system logs are analyzed for anomalies in queries that can potentially be
SQL injections. Most organizations use automation techniques to detect and
prevent SQL injection through tracking system logs.

2. Error Detection

Blind SQL injection depends on the error report generated by the system.
Showing a generic error report may be the solution to prevent blind SQL
injection, but due to operational limitations, that often isn’t implemented.
But the error reports can be tracked and analyzed by using
residential proxies
that can prevent inferential (blind) attacks to some extent.

Suggested Reading

5 Ways to Protect Your Business Data

The proxies forward the queries through different servers before they reach
the SQL server. Thus, any malicious intent can be caught and neutralized in
this way through automation.

3. Common HTML Tag Tracking

Most commonly known as
cross-site scripting
(XSS) attack, a SQL injection inserts multiple common HTML tags like iFrame
into a page’s content and forces the visitors of the website to download
malicious software.

Although the process can be outgiving, detection and prevention of malicious
HTML tags aren’t very difficult as they are quite visible in the source code
of the application or website.   

4. Unexpected Database Behavior

At the initial stage, the attacker checks for vulnerabilities by giving random
unexpected inputs to see how the database behaves. As this is the initial
stage, the system can block out the attacker or can try to verify their
authenticity before any harm is done.

5. Setting Up Extended Event Session

Extended Events
is a monitoring system designed to enable users to collect data and
troubleshoot issues in SQL servers. This allows the cybersecurity teams to
collect information about the system and events from SQL servers for analysis.
Data analysis is much easier with Extended Events as they are extracted from a
single source, which was not the case for SQL Server Profiling and Tracing
tool. In addition to better data analysis, the Extended Events tool also
offers a GUI for ease of usage.  

6. Simulating Attacks

The best approach to detect SQL vulnerabilities is simulating potential
attacks. This is also known as pentesting. The pentester makes use of
different pentesting tools and their experience to simulate known or specially
designed attacks to expose vulnerabilities in the SQL server. Which then can
be mitigated.

7. Input Validation

Pre-validating inputs are a solid method to prevent SQL injection. The system
checks the inputs before forwarding them to the servers to verify whether the
queries are allowed to be inputted by a user. The input validation technique
filters out queries that are designed in a specific way to breach the SQL

8. Pre-Compiling Queries

Parameterized queries
are the practice of pre-compiling queries to stop supplying the parameters
that may be hazardous for the system. Pre-compilation allows the database to
recognize the code from input data and allow only the statements that are to
be executed.

The user inputs are quoted through pre-compilation and are prevented from
causing the intended damage.

9. Character-Escaping Functions

Character-escaping functions
like mysql_real_escape_string() can be used to prevent users from inputting
developer codes to the forms. By using the functions, the database management
system can distinguish between an average user and a developer. Previously
appending a simple escape character like ‘\’ would allow the attacker to
initiate SQL queries. But due to simple character-escaping functions, the
risks have been mitigated.  

10. Avoiding Administrative Access

Even if the database is accessed, as long as it’s not connected to an account
with admin privileges, the attackers can’t escalate the attack easily in the
event of SQL injection. Avoid accessing the database with administrative
credentials and try to use different databases for different applications.

11. Using a Web Application Firewall

web application firewall
(WAS) sits between the web servers and the users to identify suspicious
requests from the network traffic. WAF works through pre-defined rules and can
be bypassed by the developers with appropriate credentials to access the
database in case any event calls for it.

The Bottom Line

To detect and prevent SQL injection in 2022, routinely audit your database,
keep track of common HTML tags in your website, and be hostile towards
unexpected database behaviors. Setting up Extended Event sessions, and error
detection techniques can help you keep an eye out for attacks. Consider
altering your codes to implement input validation and pre-compilation of
queries to stay ahead of the game.

Source link

Next Post

Tesla developing in-house supercomputer technology, according to lawsuit against ex-engineer

Tesla Inc. sued a former engineer claiming he illegally transferred confidential information on its supercomputer technology to his own computer and turned over a “dummy” laptop for inspection to cover up the theft. Tesla is developing an in-house supercomputer, dubbed Project Dojo, to deal with massive amounts of data, including […]
Tesla developing in-house supercomputer technology, according to lawsuit against ex-engineer