SQL injection in a nutshell (a beginners guide)
Many aspects of software development and penetration testing can be complex to understand for business owners. This is why we are embarking on a journey to create a series of articles explaining each of these in a way that is easier to understand.
To know what SQL injection is, we need to understand what SQL is and what it does. SQL stands for Structured Query Language. This is the programming code used to insert, update, retrieve, or delete information held in a database. It is used when any website is built and uses data held in a database.
What is SQL injection?
According to the OWASP website: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorisation.
The attacker does this by entering SQL commands into website forms. The information might take the form of a person’s name, followed by special characters that tell your website that the next information is code that should be executed. The attacker can use the code after the special character to delete or steal data or take over your system.
You are susceptible to these attacks when there is insufficient logging & monitoring.
The dangers of SQL injection + examples
The dangers of SQL injection include:
- An application is tricked into allowing a login without a valid password
- Data is accessed without authorisation, known as broken access control or broken authentication
- Confidential data is stolen, known as sensitive data exposure
- Data is altered to create fraudulent records, to add users, or to promote the permissions of a user
SQL injections also allow attackers to insert malicious code onto a website, where access is usually restricted to users in the same location as the network (Cross-Site Scripting XSS). XML External Entities (XXE) are another vulnerability that allows attacks to interfere with XML data processing. Insecure Deserialisation is another form of attack that can shut down a network or machine.
The result of such attacks can seriously damage your business’s reputation.
How to prevent SQL injection attacks
Your systems and third-party applications should be regularly tested for vulnerabilities. Our penetration tests identifies if you are using components with known vulnerabilities and ensures all security controls are in place to prevent security misconfiguration.
We will tell you how to repair vulnerabilities and recommend inspection, sanitisation, and validation software to spot when dangerous characters are being inserted in website forms.