SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
 
  • What is injection vulnerability?

         SQL injection is a particularly widespread and dangerous form of injection. To exploit a SQL injection flaw, the attacker must find a parameter that the web application passes through to a database. The consequences are particularly damaging, as an attacker can obtain, corrupt, or destroy database contents.
  • How SQL Injection works?

            In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.
 
            In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
  • Steps to prevent SQL injection attacks

  1. Trust no one
  2. Don’t use dynamic SQL – don’t construct queries with user input 
  3. Update and patch 
  4. Firewall
  5. Reduce your attack surface
  6. Use appropriate privileges
  7. Keep your secrets secret 
  8. Don’t divulge more information than you need to 
  9. Continuously monitor SQL statements from database-connected applications 
  10. Buy better software 
  • Summary:

          SQL injection is an attack technique that exploits a security vulnerability occurring in the database layer of an application. Hackers use injections to obtain unauthorized access to the underlying data, structure, and DBMS.  It is one of the most common web application vulnerabilities.
 
      SQL Injection attacks require that the web application passes an attacker’s input to the database without making use of prepared SQL statements. Exploiting an SQL Injection vulnerability can, potentially, even allow an attacker to gain access to resources that are only reachable on local networks.
 
         Since SQL Injection has been around since 1998 it is widely understood and easily exploitable using free and readily available tools. Most development frameworks have protection mechanisms built in that assist web developers to produce web applications that are not prone to SQL Injection attacks.
READ  Facebook Fined £500,000 for Cambridge Analytica Data Scandal