What is SQL injection?

View all blog posts under Articles

Technological systems play a critical role in today’s world, enabling functions as diverse as business operations, health care, service delivery, and education. However, with so many key processes and activities depending on tech systems, it’s no surprise that there are malicious cybercriminals seeking to abuse and leverage these platforms for their own fraudulent purposes.

Arrows pointing to gears surrounded by circle, on a binary code background.

Hackers and cybercriminals constantly develop new techniques to breach networks, applications, and systems snoop upon and steal valuable data. This can prove particularly profitable for hackers, allowing them to create fraudulent accounts and other money-generating processes.

Within the information systems industry, it’s imperative for professionals to work to stay a step ahead of hackers. One of the first essentials in this pursuit is awareness and knowledge of the current threat environment, and the approaches cybercriminals use to support their malicious activity.

Today, we’ll take a closer look at SQL injection, SQL injection detection, and prevention techniques, and how hackers use this technique to bypass security programs and expose sensitive information.

What is SQL?

Before we delve into the mechanics of this kind of attack, it’s important to have a foundational understanding of structured query language (SQL), the legitimate process that hackers leverage for injection.

As Cisco explains, SQL enables the querying and operation of administrative databases. This includes popular programs like Microsoft SQL Server, MySQL, or Oracle. These databases support backend functionality for a range of different web applications, where the apps utilize user-generated data or navigation commands to create SQL statements that then enable the app to interact with the associated database.

While this process might include small deviations or intricacies depending on the SQL database, it is generally the same from Microsoft SQL Server to Oracle, for example.

What does an SQL injection look like?

An SQL injection attack depends upon the use of hacker-created SQL statements or code, as opposed to the legitimate, user-supplied data typically seen in regular activity. Within this attack structure, hackers provide their own SQL statements sent directly to the backend database to hijack its functionality as well as the operations of the web application it enables.

“A SQL injection attack involves the alternation of SQL statements that are used within a web application through the use of attacker-supplied data,” Cisco explains.

Depending on the SQL statements the attacker creates, as well as the functionality or purpose of the web application and database, this style of attack can be used to support an array of different malicious activities.

For instance, a hacker could inject their own SQL code to enable processes like:

  • Authentication bypass: In this way, an attacker could potentially gain administrative capabilities without the need for legitimate authentication credentials, breaking into a system and leveraging it for data theft or other malicious activity.
  • Information compromise: A hacker could also create an SQL statement to connect them, either directly or indirectly, to the backend database. From here, the attacker could steal or otherwise expose and compromise the data contained there. Depending on the database and web application, this could include anything from highly sensitive customer data to health care information, payment details, and more.
  • Data alteration: In addition to snooping and stealing information contained in the backend database, an attacker could also alter this data for a variety of damaging purposes. For instance, a hacker could change the backend database information to alter web application content or to insert malicious code into the web application. Separately, the attacker could also delete the database information, thereby preventing availability and ceasing certain functions that depend on this data to inform operations.

These are just a few SQL injection exploit examples, but the potential attack areas supported by SQL injection are great. What’s more, SQL inject attacks are not a new approach for hackers — CSO senior writer J.M. Porup explains that this malicious hacker process first came to light in 1998, and has been utilized steadily ever since — and it’s currently considered among the top 10 threats to web applications.

Thankfully, though, these types of attacks are not difficult to guard against, and SQL injection protection is often a standard tenet of application security.

“SQLi isn’t some cutting-edge NSA Shadow Brokers kit; it’s so simple a 3-year-old can do it,” Porup writes. “This is script kiddie stuff — and fixing your web applications to mitigate the risk of SQLi is so easy that failure to do so looks more and more like gross negligence. … but even the smartest and best-intentioned developers still make mistakes.”

SQL injection detection and prevention techniques

There are several key protection strategies specifically aimed at SQL injection attacks that professionals in the information systems industry should be aware of, including:

  • The use of a web application firewall (WAF), which can detect the type of activity associated with SQL injection and block this process from taking place
  • The deployment of an intrusion detection system (IDS), including both network-level and host-based systems. These platforms can monitor connections to the database server as well as web server logs, and notify the IT team and information systems professionals of any activity that is out of the ordinary and could point to a potential attack.

Cisco also suggests putting in place application blacklisting and whitelisting, which only allows certain programs to connect to databases.

Understanding current threats: Online BSIS

One of the critical responsibilities of information systems professionals is to gain an in-depth understanding of not only the technology solutions that enable key processes, but also the threats that might impact them. SQL injections are just one attack style in the current threat environment.

Students enrolled in the University of Alabama at Birmingham’s Collat School of Business Online Bachelor of Science in Information Systems can take Information Security Management as part of their elective options. This course helps provide a foundational understanding of information security, including management of risks and threats.

To find out more, reach out to one of our expert enrollment advisors today.

Recommended Reading:

How IT project management is unique

How to choose your BS IS electives

Sources:

UAB BSIS

UAB BSIS Course Descriptions

Cisco

CSO Online