Most dynamic web applications and sites — ones that store and process user information — use some sort of database implementation. One of the most common implementations involves SQL. Structured Query Language is a standard language for relational database management systems (RDBMS). It lets you query database records, change and modify them, set permissions, create custom views and storage procedures.
SQL Injection (SQLi) refers to the vulnerability that allows cybercriminals to exploit SQL code in order to manipulate RDBMS procedures that rely on SQL. An SQL vulnerability exposes a majority of websites on the Internet — which means its implications are far-reaching for the regular internet user.
Let’s take a look.
How SQL injections work
Consider a database system that takes the user ID as an input and returns the corresponding personally identifiable information if the ID matches with one of the database entries. An SQL injection attack could modify the input that is always treated as True by the database system.
For example, instead of searching for the “userID 123” and returning the corresponding user details, you can search for “userID 123 OR 1=1”. This addition to this query makes it true irrespective of the userID included in the query, which means that the query can return all user data if the SQL system is programmed to simply check for true values between the query and database entries.
As the Splunk Threat Research Team explains:
"A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system."
Types of SQLi
Though there are plenty of examples of SQL injection (listed here and here) , the most common types of SQL injection are the following:
- Hidden data retrieval. Changing the SQL query such that it can access hidden database entries.
- Logic subversion. Manipulating application logic or using query to interfere with the expected use of application logic to return desired results.
- Union attacks. Changing SQL query such that it returns the expected results as well some additional query results, possibly from multiple databases.
- Examining database. The SQL query returns database metadata and details such as the structure and schema.
- Inferential blind SQL injection. These could be boolean or time-based attacks ,where querying a series of questions or error-raising input can allow the attacker to determine information stored in the database.
- Hexadecimal attack. A variation of query input to evade signature-based detection systems. These queries may use one of the other SQL injection techniques such as logic subversion and union attacks to manipulate application behavior.
Signs of SQL injection
An attacker may take individual steps as part of the SQL injection, which may seem entirely legitimate user requests as far as the Web application, RDBMS and networking logic is concerned. However, we can recognize that a successful SQL injection attack will take a series of actions that are not typical of your authorized user base, and so they leave behind the following trail of symptoms:
- Large volume of queries with unexpected structure.
- Frequent redirects, ads and popups linked to your website.
- Access request to database metadata and structure information.
- Requests about the structure of dynamic SQL queries, as performed by other users.
- Unexpected behavior of the application, such as returning data in unexpected ways.
- Denial of Service attack that renders the network inaccessible to other users.
- Unexpected modification of application logic or database entries.
- Attack on the backend infrastructure and how the application consumes these resources.
- Elevated access privileges assigned to specific users.
The SQL injection attack threat exposes how subtle vulnerabilities in application and database management logic can compromise the confidentiality and integrity of your database systems.
Effects of major SQL injections
Given the simple nature of query manipulation, we may be inclined to believe that large enterprises with significant resources and security expertise can overcome the threat, often by designing their web applications and DBMS for security against such attacks. Unfortunately, that is not the case.
SQL injection vulnerabilities have made headlines on several occasions. Reading through this list shows you that anyone can be a victim — and the consequences can be enormous.
Microsoft UK, 2007
In 2007, Microsoft’s UK website was hit by an SQL injection attack. The hacker gained unauthorized access into the website and was able to embed URLs and redirect media content to the website. This returned errors, which allowed the hacker to understand the structure of the database and then refine queries such that the attacker can now retrieve their desired data.
In 2014, Tesla was the victim of an SQL injection attack where a cross-site scripting (XSS) vulnerability exposed:
- Sensitive customer data in the backend database
- Administrative credentials
In 2019, security researchers identified vulnerabilities in Fortnight that allowed them to take over user accounts by using a phishing attack. Users who fell prey to the attack and clicked on the phishing links allowed the attackers to bypass application firewall rules.
In 2018, researchers identified an SQL injection vulnerability in the Cisco Prime License Manager that allowed them to gain shell access to systems using the program. In 2023, Cisco Unified Communications Manager was found to have a vulnerability with no workarounds available yet, and hence, a zero-day exploit.
This vulnerability is caused by the web interface that does not adequately validate user input and allows an attacker to launch an SQL injection attack.
Defending against SQL attacks
Unfortunately, there is no tried-and-true way to wholly prevent SQL injections, as is true with many aspects of cybersecurity. (Simply search the CVE database for “injections” and you’ll see what we mean.)
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.