How SQL injection attacks work: Examples and video walkthrough
Injection attacks are the number one web application security risk, according to the OWASP Top 10. Learn how they work and how you can defend against them in this walkthrough from Infosec Skills author John Wagnon.
How to prevent SQL injection
In this episode of Cyber Work Applied, John explains what a SQL injection attack is and walks through how easily an attacker could gain unauthorized access to a web application built upon insecure code.
Watch the full breakdown below of how the attack works:
New episodes of Cyber Work Applied are released every other week. Check out the full collection of free Cyber Work Applied training videos.
SQL injection attack walkthrough
The edited transcript of the SQL injection attack walkthrough video is provided below, separated into each step John covers in the video.
How does an injection attack work?
(0:00–1:04) Have you ever heard of an injection attack? It's the number one critical security risk for web applications according to the OWASP Top 10 rankings. I'm Infosec Skills author John Wagnon, and I'm going to show you exactly why injection attacks are one of the most common and dangerous risks on the internet today.
When you access a website, you're actually accessing several different components and several different technologies. There's a web server that has text and pictures and forms and all those elements for the site that you're accessing. But in addition, there's almost always this database connected that's holding a lot of information related to that website. For example, a database might hold the names and addresses of users, or maybe even more sensitive information like medical data, credit card numbers or bank information.
Injection attacks happen when an attacker takes advantage of poorly written code that allows this attacker to gain access to the database containing those types of data that are intended to be protected.
11 courses, 8+ hours of training
How does SQL injection work?
(1:05-3:00) A SQL injection attack is a common type of injection attack. Remember that database we were just talking about? Well, a database uses a specific language to talk. It's called the Structured Query Language, or SQL, and that uses SQL to carry out these commands that make the database run.
SQL commands are used to do all kinds of things, like insert data, remove data, find data and manipulate that database, right? When a web application is written, if the code used to write it doesn't check things like manipulated SQL commands, then it could inadvertently allow a SQL command to run against the database and allow an attacker to gain access to that database or web application — and gain access to all the data stored in the database.
Here's an example. Let's say you have a web application that has a username and password combination that allows a user access to that website. Let's also say that the same web application has that database on the backend that stores usernames and passwords. When a user enters a username and password, a SQL query is created, and it's executed to search against that database to verify that the user is who they say they are. If the matching entries are found on the database, then the user is authenticated to the website.
But if the application doesn't do proper user input checks, then an attacker could come in and manipulate the username or the password field so that the resulting input creates this strange, yet valid SQL command. If the attacker uses the proper SQL syntax, then they could manipulate the database to return these "true" statements back to the web application. Then the web application would grant user access to that site.
A SQL injection attack example
(3:01-4:24) In this example, the username could be manipulated to be something like:
" OR 1=1
But what that does is it gets translated into a SQL command that might look something like:
SELECT * FROM users WHERE name=" or 1=1
So while this username looks really strange in the website login box, it looks completely valid to the database on the backend holding the username and password fields. The database is looking for a username that matches the input value the user supplied. If the values match, then the database returns a true response to the web application, and the application allows the user access to the web application.
In this specific case, the SQL command has been manipulated to tell the database to return a true statement, or a true response, as long as the username is either quote or as long as the statement one equals one is true. Of course there's no username that is a quote, right? But the logical statement one equals one is, of course, true. So the database would return a true response back to the web application.
And so now this user, or in fact, the attacker, would be granted access to the web application.
Other types of injection attacks
(4:24-4:57) SQL is not the only type of injection attack. You can also use this same approach for things like lightweight directory access protocol, or LDAP servers. The syntax is slightly different between LDAP and SQL, but the idea is exactly the same. You manipulate the user input so that the backend system will be tricked into granting access or spilling data that was intended to be protected.
These injection attacks lead to dozens of breaches every year where millions of records are compromised.
SQL injection prevention
(4:57-5:42) How do you defend against injection attacks, like the ones we've just talked about? Well, you should check all of your user input, using things like prepared statements or stored procedures. Essentially, you want to make sure that the user input coming into your web application is what you expect it to be. You can also implement things like the concept of least privilege, where you only allow users the minimum amount of access and permission to do their job.
You can see that injection attacks are really dangerous, but there are things you can do to stop them. That's why it's important that cybersecurity professionals should know how these attacks work and how they can mitigate them.
Check out my Infosec Skills learning path for the OWASP Top 10 to learn all about injection attacks and many more.
11 courses, 8+ hours of training
More free training videos
If you want more free training from John and other Infosec instructors, check out the Cyber Work Applied training series, where you'll learn:
- How to carry out man-in-the-middle attacks and watering hole attacks
- How to hack Wi-Fi and crack passwords
- How to use Wireshark for protocol analysis
- How cross-site scripting attacks work
- How to write a port scanner in Python
- And many more!