What is an SQL injection attack?
Whether you’re a small business owner who manages cyber security solo or part of a large organisation, you’ve probably heard of phishing – but what is an SQL injection attack? This lesser-known form of cyber-attack involves utilising code to hack databases and steal information.
SQL stands for structured query language – a type of computer language which is used to communicate with databases. These can be used for legitimate purposes, such as retrieving details from large data sets, or as a cybercrime tool.
SQL injection attacks harness the power of code for malicious purposes, usually by infiltrating the backend of an application or webpage to view, alter or delete information. This might include sensitive company data, valuable assets or customer details. The resulting data breach can have severe consequences.
Criminals may use stolen data to conduct identity theft, access bank accounts and to blackmail organisations.
How and why is an SQL injection attack performed?
SQL injection works by exploiting vulnerabilities in a website or computer application – usually through a data entry form. Hackers type SQL commands into fields such as login boxes, search boxes or ‘sign up’ fields. The aim is to use complex code sequences to gain access to a system and reveal the data held inside.
If your website uses weak or outdated security measures, then the hacker may be able to gain access by confusing the system. With this, cyber criminals can either steal the data or shape it in ways which are disruptive to your business. In some cases, they can infiltrate your entire network.
Possible effects of a successful SQL injection attack include duplication, modification and deletion of data sets – all of which take time and money to resolve. Sometimes, data damage may be permanent.
The motivations behind an SQL injection attack are often financial. Hackers might sell sensitive data on the dark web, or malicious groups may wish to give themselves an advantage by setting your business back.
Types of SQL injection
There are different variations of an SQL injection attack. Here are the key types to be aware of:
In-band SQL injection – This is the simplest and most common form of SQL injection attack. Hackers use error messages to gather the information they need to formulate a query. The hacker can use the same communication channel to launch the attack and gather their results.
Error-based SQL injection – This method uses error messages to obtain information about the structure of the database. It’s important to make error messages generic or they can offer hackers too much information, such as table names and content.
Blind SQL injection – When using this variation, the hacker is unaware of whether the web application or page is vulnerable or not. It does not display any error messages, so the hacker goes in ‘blind’ and must look for other subtle clues in behaviour to identify avenues for attack. This includes HTTP responses, blank web pages and response time.
Out-of-band SQL injection – This method is a bit more complex and is usually adopted if the hacker can’t gain access to a database with a single query-based attack. Instead, the hacker will craft SQL statements which trigger the database system to create a connection to an external server the attacker controls. From here, they can gain access to the data.
Example of an in-band SQL injection
An in-band SQL injection, also known as a classic SQLi attack, is usually error-based, which means it uses error messages the database expels to collect information about its structure. For example, a piece of SQL code entered into a login box can instruct the database to reveal key details, such as ‘first name’, ‘surname’ or ‘password’ for each numbered user ID – all in the form of error messages.
In-band SQL injections are often successful when the hacker gains certain pieces of key information, such as the table name, number of columns and data type – so keeping these safe is a major focus in cyber security in order to prevent SQL injection attacks.
Example of a blind SQL injection
Blind SQL injection techniques are used when a hacker cannot ‘see’ vulnerabilities in the system – for instance, because error alerts are disabled – so they attempt to trigger conditional responses which enable them to piece things together.
When firing SQL queries at the system doesn’t return a result, hackers may look for subtle differences in the HTTP responses produced by tracking cookies. This determines whether the query returns data – even when data can’t be seen. These are known as conditional responses. Once they discover where data lies, advanced hackers use a process of elimination to decode it character by character.
How to prevent SQL injection attacks
Since the stakes are so high, you’re probably wondering how to prevent an SQL injection attack. The first step is to identify if your business is vulnerable, and the best way to do this is by attempting to gain access yourself. You can achieve this by writing your own code, or by using an automated SQL injection tool to find any vulnerabilities.
Once you know how significant the threat is, work through the following steps to help prevent an SQL injection attack and stop hackers in their tracks:
- Update and patch any vulnerabilities in your databases that a hacker may be able to exploit using SQL injection – such as error message settings, for example. You may also want to consider downloading a web application firewall to filter out malicious data.
- Use input validation for all user-submitted data. This can be done by utilising a database management system to ensure that any dangerous characters, such as the apostrophe, are not passed to an SQL query in data. Also, consider sanitising all data by filtering it by context. For example, email address fields should not allow any characters that do not appear in email addresses, phone numbers should only allow digits, etc.
- Limit the privileges that you assign to accounts. Don’t use an account with administrator functionality unless it is truly necessary, as this could provide access to the entire system if a hacker were to successfully carry out an SQL injection attack.
- Don’t use dynamic SQL (a technique that enables you to build SQL statements dynamically at runtime). Instead, use prepared statements, parameterised queries and stored procedures.
- Secure your application or web page accordingly by encrypting or hashing passwords and other confidential information.
- Train your team to recognise cyber-attacks and know how to respond. The Hiscox CyberClear Academy is an online interactive suite of cyber security training modules designed to raise awareness about cyber threats and data protection regulations. It’s a useful asset for training your staff.
At Hiscox, we know small businesses face cyber-attacks, too – and fortunately, even those without dedicated security teams can take measures to stay protected. For more information on the common types of cyber threats and how to prevent them, read our cyber FAQs.
Related guides & FAQs
What is cyber insurance?
From stolen data to business interruption, cyber-attacks can lead to many difficulties. Read our guide to cyber insurance to find out how it can help in the event of an attack.
What is a phishing attack?
Businesses exchange thousands of emails each day and some can be dangerous. Read our article on phishing attacks to find out how.
What is ransomware?
Companies large and small can face a ransomware attack – a type of malware that locks systems and demands money from business owners in return. Learn more with our guide to ransomware.