SQL Injection: How to Detect and Prevent Them in 2022

Introduction

SQL injection is a form of attack on your database that allows the attacker to access, modify, or delete data without authorization. In severe cases, the attack is escalated to reach servers to harm the underlying structure or initiate a DDoS attack.

SQL injections are typically executed from the front-end or the publicly visible face of a website or application. In general, the attacker finds vulnerabilities in a web application to input SQL queries in a public forum on the web page and initiate the attack.

Types of SQL Injection

Depending on the vulnerability, three different types of SQL injections are executed to access sensitive data:

1. In-Band SQL Injection

The simplest form of in-band SQL injection involves the attacker getting a direct response from the database as an output of a modified query. Assume that a vulnerability exists in the form of a query that returns the personal data of specific users. The attacker upon finding the vulnerability can modify the input to insert a wildcard character to generate data of every individual available on the database.

A subset of in-bank SQL injection is an error-based SQL injection that lets the attacker know the structure of the database to initiate more suitable attacks.

2. Inferential SQL Injection

Inferential SQL injection is a blind SQL injection that doesn’t return the data to the attacker in a tabular form. The attacker is forced to ask the database yes-no questions (Boolean) to understand the nature of the data available. This kind of attack is quite challenging to execute because of the computation power and time required, but not impossible.

Relevant Reading

3 ways to keep your Tech business safe 

The typical usage of blind SQL injection is password extraction. The attacker keeps asking the database TRUE FALSE questions to formulate the password string for a particular username.

 3. Out-of-Band SQL Injection

Out-of-band SQL injections attacks are executed though outbound channels like DNS and HTTP protocols. The attacker might execute file operation functions (master..xp_dirtree, load_file()), or connection functions (UTL_HTTP.request, DBMS_LDAP.INIT) to get access to the database.

A listening server controlled by the attacker sits idly while the malicious SQL commands are executed. The attacker, upon getting access, processes common information for the listening server to gather the data.

How to Detect and Prevent SQL Injection Attacks

Detecting a SQL injection is not very difficult as the attacks are often executed by the means of trial and error and take a long time to initiate.

1. Routine Database Audits

SQL database audits are systematic and strategic tracking and logging of specific events. Auditing databases include recording information about user actions and system anomalies by the means of automation or manual intervention. Routine database audits may expose:

• Common object access attempts like login and database management attempts.
• Personal data modification attempts.
• Database object unauthorized access attempts.
• Administrative access attempts.
  

The system logs are analyzed for anomalies in queries that can potentially be SQL injections. Most organizations use automation techniques to detect and prevent SQL injection through tracking system logs.

2. Error Detection

Blind SQL injection depends on the error report generated by the system. Showing a generic error report may be the solution to prevent blind SQL injection, but due to operational limitations, that often isn’t implemented. But the error reports can be tracked and analyzed by using residential proxies that can prevent inferential (blind) attacks to some extent.

Suggested Reading

5 Ways to Protect Your Business Data

The proxies forward the queries through different servers before they reach the SQL server. Thus, any malicious intent can be caught and neutralized in this way through automation.

3. Common HTML Tag Tracking

Most commonly known as cross-site scripting (XSS) attack, a SQL injection inserts multiple common HTML tags like iFrame into a page’s content and forces the visitors of the website to download malicious software.

Although the process can be outgiving, detection and prevention of malicious HTML tags aren’t very difficult as they are quite visible in the source code of the application or website.   

4. Unexpected Database Behavior

At the initial stage, the attacker checks for vulnerabilities by giving random unexpected inputs to see how the database behaves. As this is the initial stage, the system can block out the attacker or can try to verify their authenticity before any harm is done.

5. Setting Up Extended Event Session

Extended Events is a monitoring system designed to enable users to collect data and troubleshoot issues in SQL servers. This allows the cybersecurity teams to collect information about the system and events from SQL servers for analysis. Data analysis is much easier with Extended Events as they are extracted from a single source, which was not the case for SQL Server Profiling and Tracing tool. In addition to better data analysis, the Extended Events tool also offers a GUI for ease of usage.  

6. Simulating Attacks

The best approach to detect SQL vulnerabilities is simulating potential attacks. This is also known as pentesting. The pentester makes use of different pentesting tools and their experience to simulate known or specially designed attacks to expose vulnerabilities in the SQL server. Which then can be mitigated.

7. Input Validation

Pre-validating inputs are a solid method to prevent SQL injection. The system checks the inputs before forwarding them to the servers to verify whether the queries are allowed to be inputted by a user. The input validation technique filters out queries that are designed in a specific way to breach the SQL server.  

8. Pre-Compiling Queries

Parameterized queries are the practice of pre-compiling queries to stop supplying the parameters that may be hazardous for the system. Pre-compilation allows the database to recognize the code from input data and allow only the statements that are to be executed.

The user inputs are quoted through pre-compilation and are prevented from causing the intended damage.

9. Character-Escaping Functions

Character-escaping functions like mysql_real_escape_string() can be used to prevent users from inputting developer codes to the forms. By using the functions, the database management system can distinguish between an average user and a developer. Previously appending a simple escape character like ‘\’ would allow the attacker to initiate SQL queries. But due to simple character-escaping functions, the risks have been mitigated.  

10. Avoiding Administrative Access

Even if the database is accessed, as long as it’s not connected to an account with admin privileges, the attackers can’t escalate the attack easily in the event of SQL injection. Avoid accessing the database with administrative credentials and try to use different databases for different applications.  

11. Using a Web Application Firewall

A web application firewall (WAS) sits between the web servers and the users to identify suspicious requests from the network traffic. WAF works through pre-defined rules and can be bypassed by the developers with appropriate credentials to access the database in case any event calls for it.

The Bottom Line

To detect and prevent SQL injection in 2022, routinely audit your database, keep track of common HTML tags in your website, and be hostile towards unexpected database behaviors. Setting up Extended Event sessions, and error detection techniques can help you keep an eye out for attacks. Consider altering your codes to implement input validation and pre-compilation of queries to stay ahead of the game.