What is an SQL injection attack?

SQL injection works by exploiting vulnerabilities in a website or computer application – usually through a data entry form. Hackers type SQL commands into fields such as login boxes, search boxes or ‘sign up’ fields. The aim is to use complex code sequences to gain access to a system and reveal the data held inside.

If your website uses weak or outdated security measures, then the hacker may be able to gain access by confusing the system. With this, cyber criminals can either steal the data or shape it in ways which are disruptive to your business. In some cases, they can infiltrate your entire network.

Possible effects of a successful SQL injection attack include duplication, modification and deletion of data sets – all of which take time and money to resolve. Sometimes, data damage may be permanent.

The motivations behind an SQL injection attack are often financial. Hackers might sell sensitive data on the dark web, or malicious groups may wish to give themselves an advantage by setting your business back.

There are different variations of an SQL injection attack. Here are the key types to be aware of:

In-band SQL injection – This is the simplest and most common form of SQL injection attack. Hackers use error messages to gather the information they need to formulate a query. The hacker can use the same communication channel to launch the attack and gather their results.

Error-based SQL injection – This method uses error messages to obtain information about the structure of the database. It’s important to make error messages generic or they can offer hackers too much information, such as table names and content.

Blind SQL injection – When using this variation, the hacker is unaware of whether the web application or page is vulnerable or not. It does not display any error messages, so the hacker goes in ‘blind’ and must look for other subtle clues in behaviour to identify avenues for attack. This includes HTTP responses, blank web pages and response time.

Out-of-band SQL injection – This method is a bit more complex and is usually adopted if the hacker can’t gain access to a database with a single query-based attack. Instead, the hacker will craft SQL statements which trigger the database system to create a connection to an external server the attacker controls. From here, they can gain access to the data.

An in-band SQL injection, also known as a classic SQLi attack, is usually error-based, which means it uses error messages the database expels to collect information about its structure. For example, a piece of SQL code entered into a login box can instruct the database to reveal key details, such as ‘first name’, ‘surname’ or ‘password’ for each numbered user ID – all in the form of error messages.

In-band SQL injections are often successful when the hacker gains certain pieces of key information, such as the table name, number of columns and data type – so keeping these safe is a major focus in cyber security in order to prevent SQL injection attacks.

Blind SQL injection techniques are used when a hacker cannot ‘see’ vulnerabilities in the system – for instance, because error alerts are disabled – so they attempt to trigger conditional responses which enable them to piece things together.

When firing SQL queries at the system doesn’t return a result, hackers may look for subtle differences in the HTTP responses produced by tracking cookies. This determines whether the query returns data – even when data can’t be seen. These are known as conditional responses. Once they discover where data lies, advanced hackers use a process of elimination to decode it character by character.

Since the stakes are so high, you’re probably wondering how to prevent an SQL injection attack. The first step is to identify if your business is vulnerable, and the best way to do this is by attempting to gain access yourself. You can achieve this by writing your own code, or by using an automated SQL injection tool to find any vulnerabilities.

Once you know how significant the threat is, work through the following steps to help prevent an SQL injection attack and stop hackers in their tracks:

1. Update and patch any vulnerabilities in your databases that a hacker may be able to exploit using SQL injection – such as error message settings, for example. You may also want to consider downloading a web application firewall to filter out malicious data.
2. Use input validation for all user-submitted data. This can be done by utilising a database management system to ensure that any dangerous characters, such as the apostrophe, are not passed to an SQL query in data. Also, consider sanitising all data by filtering it by context. For example, email address fields should not allow any characters that do not appear in email addresses, phone numbers should only allow digits, etc.
3. Limit the privileges that you assign to accounts. Don’t use an account with administrator functionality unless it is truly necessary, as this could provide access to the entire system if a hacker were to successfully carry out an SQL injection attack.
4. Don’t use dynamic SQL (a technique that enables you to build SQL statements dynamically at runtime). Instead, use prepared statements, parameterised queries and stored procedures.
5. Secure your application or web page accordingly by encrypting or hashing passwords and other confidential information.
6. Train your team to recognise cyber-attacks and know how to respond. The Hiscox CyberClear Academy is an online interactive suite of cyber security training modules designed to raise awareness about cyber threats and data protection regulations. It’s a useful asset for training your staff.

At Hiscox, we know small businesses face cyber-attacks, too – and fortunately, even those without dedicated security teams can take measures to stay protected. For more information on the common types of cyber threats and how to prevent them, read our cyber FAQs.

Disclaimer:

Our FAQ pages provide general information and background around the topic covered. FAQ pages are reviewed and monitored periodically by our insurance experts. But the content is not intended to be read as advice and any material is for general information purposes only. If you would like advice for any content, please seek professional assistance.