University of Petra
SQL Injection
By
Ahmed Nistas (202010092)
To
Prof. Sami Al Smadi
Second semester 2022-2023
Introduction
SQL Injection is a type of web application vulnerability that occurs when an attacker is able to
inject malicious SQL statements into an application's database query. It is considered one of the
most common and critical security vulnerabilities in web applications. Successful exploitation of
SQL Injection can lead to unauthorized access, data loss, data manipulation, and even complete
compromise of the application or database.
This documentation aims to provide an in-depth understanding of SQL Injection, including its
definition, working mechanism, types of attacks, impact, prevention techniques, testing
methods, and real-world examples.
What is SQL Injection?
SQL Injection is a technique used by attackers to exploit vulnerabilities in a web application's
database layer. It occurs when user-supplied input is not properly validated or sanitized and is
directly included in SQL queries executed by the application.
By injecting specially crafted SQL statements, attackers can manipulate the intended behavior
of the application's database queries. This can result in the execution of unauthorized actions,
such as retrieving sensitive data, modifying database content, or even executing arbitrary
commands on the underlying database server.
How Does SQL Injection Work?
SQL Injection attacks generally occur when a web application fails to properly validate or
sanitize user-supplied input that is incorporated into SQL queries. Attackers exploit this
vulnerability by inserting malicious SQL statements or fragments into the input fields or
parameters expected by the application.
Commonly used SQL Injection techniques include:
Union-based SQL Injection: Exploits the UNION operator in SQL queries to combine additional
malicious data with the original query result. This technique allows attackers to extract data
from other tables or databases.
Boolean-based SQL Injection: Relies on Boolean logic to infer information about the database.
Attackers use conditional statements to evaluate whether certain conditions are true or false,
allowing them to extract data or perform unauthorized actions.
Time-based SQL Injection: Exploits time delays in database responses to infer information.
Attackers use time-based queries that introduce delays, enabling them to infer the validity of
specific conditions or retrieve data progressively.
1
Error-based SQL Injection: Exploits error messages generated by the database to extract
information. Attackers deliberately trigger errors by injecting malformed SQL statements, and
the resulting error messages can reveal details about the database structure.
Blind SQL Injection: Utilizes conditional queries to infer information without directly retrieving
data. Attackers construct queries that yield true or false responses based on specific conditions,
allowing them to gather information indirectly.
Types of SQL Injection Attacks
Union-based SQL Injection
Union-based SQL Injection involves injecting additional SQL statements using the UNION
operator in a query. This technique allows attackers to combine their own crafted query with
the original query and retrieve data from other tables.
Boolean-based SQL Injection
Boolean-based SQL Injection relies on the use of Boolean logic in SQL queries. Attackers
construct queries that evaluate conditions to true or false, using the application's response to
infer information about the database.
Time-based SQL Injection
Time-based SQL Injection relies on introducing time delays in SQL queries to infer information.
Attackers use conditional queries that introduce delays, allowing them to determine the validity
of specific conditions or retrieve data progressively.
Error-based SQL Injection
Error-based SQL Injection exploits error messages generated by the database to extract
information. Attackers inject malformed SQL statements that trigger errors, and the resulting
error messages can provide details about the database structure or data.
Blind SQL Injection
Blind SQL Injection occurs when the application does not display database error messages or
any visible response to the attacker. Instead, the attacker needs to infer information based on
conditional queries.
Impact of SQL Injection
The impact of a successful SQL Injection attack can be severe, including:
2
Unauthorized data access: Attackers can retrieve sensitive data, such as user credentials,
personal information, or financial records. This can lead to identity theft, data breaches, or
financial fraud.
Data manipulation: Attackers can modify or delete data within the database, leading to data
corruption, loss, or unauthorized changes. This can have significant consequences for data
integrity and application functionality.
Authentication bypass: Attackers can bypass authentication mechanisms, gaining unauthorized
access to user accounts or administrative privileges. This can result in unauthorized control over
the application and its resources.
Remote command execution: In some cases, attackers can execute arbitrary commands on the
database server, potentially compromising the entire system. This can lead to full server
compromise, data exfiltration, or further exploitation.
Application and server compromise: SQL Injection can serve as an entry point for further
attacks, allowing attackers to gain control over the web application or the underlying server.
This can result in the installation of backdoors, defacement of the application, or complete
system compromise.
Preventing SQL Injection
Preventing SQL Injection requires a combination of secure coding practices and defensive
measures. Here are some best practices to mitigate SQL Injection vulnerabilities:
Input Validation and Sanitization
Implement strict input validation and sanitization mechanisms to ensure that user-supplied
data is in the expected format and does not contain malicious characters or SQL code. Use
input validation techniques such as white-listing, black-listing, and regular expressions to
ensure only expected data is accepted. Validate input on both the client and server side.
Parameterized Queries or Prepared Statements
Use parameterized queries or prepared statements with placeholder parameters instead of
concatenating user input directly into SQL statements. Parameterized queries separate data
from the query structure, preventing SQL Injection. The database engine interprets the
parameters separately, avoiding the need for explicit sanitization.
Stored Procedures
3
Utilize stored procedures or prepared statements with predefined SQL logic to handle database
interactions. By calling these procedures with input parameters, you can reduce the risk of SQL
Injection. Stored procedures encapsulate database operations and separate them from the
application code, providing an additional layer of security.
Least Privilege Principle
Ensure that database accounts used by the application have the least privilege necessary to
perform their intended tasks. Restricting permissions can limit the potential impact of a
successful SQL Injection attack. Use dedicated database accounts for different application
components and grant them the minimum required privileges.
Web Application Firewall (WAF)
Deploy a Web Application Firewall (WAF) to provide an additional layer of defense against SQL
Injection attacks. A WAF can detect and block suspicious SQL injection attempts, helping to
mitigate the risk. WAFs can employ various techniques such as signature-based detection,
behavior-based analysis, and machine learning algorithms to identify and prevent SQL Injection
attacks.
Testing for SQL Injection
Testing for SQL Injection vulnerabilities is crucial to identify and remediate any weaknesses in
the application. It can be performed both manually and with the help of automated tools. Here
are some testing approaches:
Manual Testing
Test the application by manually injecting malicious SQL statements into input fields and
parameters to observe the behavior of the application. Look for error messages, unusual
responses, or unintended results. Test different scenarios and input variations to cover a wide
range of potential vulnerabilities.
Automated Testing
Utilize specialized security testing tools to scan the application for common SQL Injection
vulnerabilities. These tools can automatically inject malicious SQL statements and analyze the
responses for potential vulnerabilities. They can also provide reports and recommendations for
fixing the identified issues.
Static Code Analysis
4
Perform static code analysis using specialized tools that analyze the source code for potential
SQL Injection vulnerabilities. These tools can identify unsafe coding practices and provide
suggestions for secure coding techniques. Static code analysis helps catch SQL Injection
vulnerabilities early in the development lifecycle.
SQL Injection Examples
Example 1: Union-based SQL Injection
Consider the following vulnerable query:
SELECT id, name, email FROM users WHERE id = '<user_input>'
An attacker can exploit this vulnerability by injecting the following input:
1' UNION SELECT password_hash, '', '' FROM users --
This would modify the query to:
SELECT id, name, email FROM users WHERE id = '1' UNION SELECT password_hash, '', '' FROM
users --'
The attacker would receive the hashed passwords of all users in the result set.
Example 2: Blind SQL Injection
Blind SQL Injection occurs when the application does not display database error messages or
any visible response to the attacker. Instead, the attacker needs to infer information based on
conditional queries.
Consider the following vulnerable query:
SELECT name FROM users WHERE id = '<user_input>'
An attacker can exploit this vulnerability by injecting the following input:
' OR (SELECT COUNT(*) FROM users) > 0 --
If the application responds differently when the injected condition is true, the attacker can
conclude that the database contains at least one user.
Example 3: Time-based SQL Injection
5
Time-based SQL Injection exploits time delays in database responses to infer information.
Attackers use conditional queries that introduce delays, allowing them to determine the validity
of specific conditions or retrieve data progressively.
Consider the following vulnerable query:
SELECT name FROM users WHERE id = '<user_input>'
An attacker can exploit this vulnerability by injecting the following input:
' OR SLEEP(5) --
If the application introduces a delay of 5 seconds in the response, the attacker can infer that the
injected condition is true.
Conclusion
6
SQL Injection is a critical security vulnerability that can lead to severe consequences, including
unauthorized data access, data manipulation, and application compromise. By following secure
coding practices and implementing preventive measures, such as input validation,
parameterized queries, and stored procedures, developers can significantly reduce the risk of
SQL Injection. Regular security testing, both manual and automated, is essential to identify and
address any potential vulnerabilities.
Remember to stay up to date with the latest security best practices and ensure that your web
application undergoes thorough security assessments to protect against SQL Injection and
other potential threats.
References
OWASP SQL Injection Prevention Cheat Sheet:
https://owasp.org/www-community/attacks/SQL_Injection_Prevention_Cheat_Sheet
PortSwigger Web Security Academy: https://portswigger.net/web-security/sql-injection
SQL Injection Attacks and Defense by Justin Clarke: https://www.syngress.com/sql-injection-
attacks-and-defense/