What is SQL Injection?

An overview of what SQL Injection is, understand the attack, and the potential risk to your organisation.

What is SQL Injection?

SQL injection is a web application vulnerability that allows an attacker to insert SQL syntax as user supplied input into a web application, resulting in the supplied input being processed as SQL commands by the backend SQL database. Successful exploitation of a SQL vulnerability, could allow an attacker to modify SQL statements.

How Does SQL Injection Work?

SQL Injection (SQLi) occurs when an application does not have the correct controls in place to prevent an attacker from inserting (injecting) parts of their own SQL statement, an action which typically causes an error, or other unintended behaviour. This indicates to the attacker that they may have been able to manipulate the backend SQL database. After the initial proof of concept, the attacker would typically begin to craft more advanced SQL statements to exploit the vulnerability.

Concerned about SQL Injection? Have your web application assessed for SQL Injection using our website security audit assessment service.

Risks: Why is the SQL injection Attacks Dangerous?

Successful exploitation of a SQL injection vulnerability could lead to complete exfiltration of user date (database dumping), full server compromise and/or a foothold for an attacker to gain access into the network and perform a lateral movement (advance through the network).

Different Types of SQL Injection Attacks:

The same concept applies to all SQL injection attacks, but the method of confirming the vulnerability differs depending on the environment, below are the common SQLi attacks found in modern web applications:

  • Blind SQLi Attack
  • Error Based SQLi Attack
  • Time Based SQLi Attack
  • UNION Select SQLi Attack
  • Out-of-Band (OOB) SQLi Attack

Learn More: What is OS Command Injection?

What is Error Based SQL Injection?

Error Based SQL Injection occurs when an attacker provides SQL special characters as input to a web application. The characters are entered in an attempt to break the SQL statement, if successful this action could, potentially cause the application to reflect an error within the response.

Learn More: What is VAPT?

What is Blind SQL Injection?

Blind SQL Injection occurs when injected input is processed by the backend database to perform an action that has no initial output (such as an error message) via the web front end. If the action is successfully completed, this indicates to the attacker that they are able to enter input into the web application and the backend database is processing the input as SQL commands, confirming the target web application is vulnerable to SQL injection.

Examples of Blind SQL Injection:

  • Modifying or adding user data (such as adding a user or changing a users password)
  • Performing time-based SQL injection
  • Performing OOB SQL Injection

Learn More: What is Pentesting?

What is Time Based SQL Injection?

Time based SQL injection is similar to blind SQL injection, a timed based SQL payload is used to verify the existence of the vulnerability. The attacker would enter a payload the that would take X number of seconds to process and monitor the time it takes for the application to respond to the injected payload, if the delay matches the attack process is then typically completed again with a different delay time to confirm the injected input is being processed by the backend database. This attack is also commonly called time based blind SQL injection.

What is a UNION Select SQL Injection Attack?

A Union Select SQLi attack uses the UNION statement to exfiltrate data stored within the database, aka. dumping the database, this is also referred to as a SQL injection UNION attack.

What is Out-of-Band (OOB) SQL Injection?

Out-of-Band SQL injection (OOB SQLi) is fairly similar to time based and blind based SQL injection but uses an Out-of-Band method to verify that it is possible pass commands to the backend database. For example, a HTTP request, or a DNS lookup to an external attacker-controlled server could verify the existence of SQL injection.