What are SQL Injections and how can you protect yourself?

Author: HOSTTEST Editorial   | 17 Sept 2021

Combatting SQL Injections EffectivelySince 2017, the number of cyber attacks worldwide has dramatically increased - just from 2019 to 2020, the Internet Crime Complaint Center of the US FBI recorded a rise from around 465,000 to almost 800,000 per year. An older yet well-known, still widely spread, and often successful attack pattern is the so-called SQL Injections. Despite being well-known and one of the most common threats, criminal hackers still use them for various purposes such as Distributed Denial of Service (DDoS Attacks), extortion, data theft, fraud, or infiltrating foreign IT infrastructure.

Contents:

What is SQL and what significance does it have for a web server?
How do SQL Injections work?
What attacks can be carried out through SQL Injections?
What do SQL Injections look like in practice?
How can SQL Injections be prevented on a server?

What is SQL and what significance does it have for a web server?

To understand how SQL Injections work, it is necessary to have a basic knowledge of databases, their structure, and the functioning of a web server. Behind the term SQL lies an abbreviation for Structured Query Language (SQL), a technical language used to create, read, manipulate, and delete information in a database. It defines special commands and syntax with which these are arranged and supplemented with additional parameters such as data.

For dynamic websites, the database contains all temporary information such as texts or links and additionally critical system contents - for example, usernames and passwords. The PHP interpreter handles the retrieval based on instructions in numerous scripts and access rights like authentication via log-ins for specific databases. For this task, it needs to communicate with external programs such as the database and web server and access them system-wide. With proper software security, for example, the PHP Framework Symfony and PHP code, these requirements pose no problem - but they can also be exploited.

How do SQL Injections work?

The principle of SQL Injections involves injecting additional commands through a public interface such as a page request or direct access to a database server, retrieving information that is not supposed to be accessible, or even enabling the direct execution of code. The cause of this is usually a programming error that fails to sufficiently isolate parameters from commands, allowing dangerous functions or commands to be "injected" into the database server. Such vulnerabilities are often hidden within the several thousands of lines of source code of a Content Management System (CMS) or occasionally in the operation of the PHP interpreter or database server.

Since the cause of SQL Injections lies within the source code itself, even in a secure system, new security vulnerabilities can constantly infiltrate. Today, the highest risk comes from old or poorly programmed plug-ins, often created by individual and sometimes inexperienced programmers, as developers of popular CMS platforms have now taken extensive measures against such vulnerabilities. Additionally problematic are extensions that are not actively maintained due to time constraints or lack of interest, and therefore do not receive regular updates following the discovery of new security vulnerabilities.

What attacks can be carried out through SQL Injections?

The possibilities of SQL Injections are diverse, as the web server, PHP interpreter, and database server are system processes with corresponding global access rights. Furthermore, the database server manages all critical content including the website and sensitive data such as logins, passwords, and personal information. The risks posed by such an attack are significant and encompass numerous critical scenarios:

  • Obtaining sensitive information
  • Altering website content (Defacing)
  • Infiltrating a server and expanding individual access rights
  • DDoS attacks to disrupt a productive system
  • Blackmail through stolen data or introducing ransomware
  • Creating backdoors for future system intrusion
  • Abusing resources such as computing power
  • Injecting malware, trojans, or fake emails

Your versatility and wide distribution are two of the crucial reasons why many cybercriminals have preferred using SQL Injections to attack a server for over a decade. Professional groups almost exclusively target a specific goal, while many individual hackers or purely profit-oriented gangs arbitrarily seek potential victims by scanning large parts of the internet for existing security vulnerabilities and exploiting them upon discovery.

What do SQL Injections look like in practice?

To be able to execute unauthorized functions and queries, a criminal hacker modifies the automatically generated URL and passes parameters that trigger undesired behaviour. For example, it is possible to append an additional action to a legitimate request - such as a search - by using the semicolon delimiter in SQL between two commands. In the simplest case, it is enough to manually append another text segment to an address like

https://example.com/search?query=abc

to, for example, change the password or access rights for a specific user including the administrator.

Another approach involves falsifying a request so that a specific condition is always true. In the past, a poorly programmed login could be bypassed by a malicious hacker simply by completing the previous parameter with a username or password and inserting an additional condition. As it is a logical OR operation, a database server always interprets the result as true and consequently returns a success.

A third method involves adding a legitimate query with an additional one that accesses confidential and protected data. This was achieved through the UNION extension, which allows multiple outputs from different tables to be linked. This creates the opportunity to obtain hidden information including lists of emails, usernames, or passwords and other sensitive details such as the database structure.

The most severe form of SQL Injections even allows direct code execution or access to the file system. For example, it is possible to overwrite a commonly used standard program with malicious code or a version infected with a Trojan, in order to gain full access to the entire system.

Not least, SQL Injections can also be used for DDoS Attacks by flooding the database server with computationally intensive tasks to consume all resources on a virtual or dedicated server. An easy way to do this is by executing multiple, concurrently running benchmarks or calculating cryptographic algorithms that generate a high computational load. This can result in blocking normal requests and the web server responding to incoming connections with error messages such as HTTP Error 500 Internal Server Error or Status Code 504 Gateway Timeout.

How to prevent SQL Injections on a server?

The basis of SQL Injections, like similar security vulnerabilities - such as a variable buffer overflow - lies in a programming error. Professional development teams now have a high awareness of these two dangers, which is why they continuously check the source code for these vulnerabilities. Therefore, the safest protection against SQL Injections involves some simple measures that should be considered and implemented on all servers connected to the internet:

  • Regular updating of software such as CMS and system programs
  • Avoidance of plugins, templates, and other extensions from unofficial sources
  • Automatic monitoring of logs for unusual activities
  • Simple and minimal systems to avoid potential vulnerabilities
  • Strict assignment of rights for file system access
  • Use of specific users instead of Root for database and web server

However, the key factor for maximum security against SQL Injections lies at the level of the software being used, especially the routines used in the PHP scripts. If these are not adequately protected against this type of attack, no alternative measures will be effective. These can only limit the damage or detect attacks that have occurred early to be able to respond promptly.

Photo: TheDigitalWay on Pixabay

Write a comment


More web hosts


More interesting articles

The best tips for secure passwords

In order to protect your own data on the internet, it is essential to create a secure password. Here you will find the b...

Check MySQL Version - it's that easy

Also, the MySQL version should not be outdated. We show you how you can view it.