Logo Logo
  • Home
  • Modshield SB
  • services
    • Application Security Testing
    • IoT Security Testing
    • Infrastructure Security Testing
    • Testing for Compliance
    • Red Team Exercise
    • Performance Testing
  • Training
    • Cybersecurity Awareness Program
    • Cybersecurity For Developers(Web Application)
    • Cybersecurity For Developers(Mobile Application)
  • Resources
    • Blog
    • CyberNews
  • About
    • Partners
    • Contact

SQL Injection Attack In Cybersecurity

  • Home
  • Blog Details
September 1 2021
  • Blog

An injection is a broad class of attack vectors where the attacker provides an altered input to a program. When the input gets executed as a part of a command or a query, the result obtained is completely altered. It is listed as the most dangerous threat in OWASP’s top 10 vulnerabilities.

SQL Injection attack. An injection is a broad class of attack vectors where the attacker provides an altered input to a program. SQL Query Injection.
SQL Injection Attack

This flaw allows the malefactors to execute a discrete code on the host operating system through a vulnerable application which could lead to data loss, data corruption, and loss of credibility.

Types of injection

SQL injections are broadly classified into three categories based on their damage potential

Types of injection: In-band SQLI, Inferential SQLI, Out of band SQLI
Type of SQLI Injection

In-Band SQLI:  In In-Band SQLI the attacker does the injection when he can make use of the same communication channel as that of the user. It is the most common and easiest out of the SQL Attacks. In-Band SQLI is further classified into two

  • Error-based SQL Injection
  • Union-based SQL Injection

Error-based SQL Injection: In error-based SQLI the malefactor’s launch attacks are designed to throw error messages towards the database. It helps the attacker in understanding the nature of the database and in some cases it helps them in enumerating the database.

When parameters are manipulated, the server throws SQL Error in detail which was used to successfully explore and exploit the database.

DB Server Name Disclosed

In this case, the error lists a total of 10 Columns of which the first column is vulnerable. With this, the attacker can get the DB server name and its version details

  • Database Server name disclosed
  • Database name getting disclosed
  • Database user name getting disclosed
  • Table Name Exposed
  • Column Name Exposed

Union-based SQL Injection: Union query SQLI helps the attacker to extract information with the help of a union operator. The attacker gets hold of the information from the database by extending the results from the query. Union operator can be used whenever the original queries have the same number and similar data type of columns.

Inferential SQLI: Inferential SQL injection or blind SQLI communicates with the database and its corresponding HTTP responses do not contain the results of SQL query or traces of any database errors. When the data is not outputted to the web page the hacker questions the database with a series of true or false questions. The main targets for these types of attacks are web applications that show generic error messages instead of generating codes that are vulnerable to the injection. In inferential SQLi no data is transferred between the attacker and the database. 

It can be furthermore classified into two types 

  • Blind Boolean-Based SQL Injection
  • Blind Time-sensitive SQL Injection

Blind Boolean-Based SQL Injection: In this type of injection, the attacker tries to understand the nature of the database by sending a set of predefined questions. Based on the results obtained the attacker will determine the vulnerability of the database for the SQL injection.

Blind Time-based SQL Injection: Whenever the malefactor interprets the database with a series of true or false questions, the database will wait for a specified amount of time before responding to it. This buffer time is called blind time-based SQLI.

When an asleep time of 10 seconds was given, the application responded after 10 seconds.

Types of injection: Inferential SQLI. The main targets for these types of attacks are web applications that show generic error messages.
Blind Time-based SQL Injection

Out of Band SQLI: Out of band, SQLI occurs whenever the attacker uses a different channel to attack and obtain results. This type of attack mainly relies on the server’s ability to transmit data over HTTP, SNB, OR DNS protocol. This method is only adopted when attacks based on inferential SQLI or inband SQLI are unstable and inconsistent.

Prevention from SQLI’S: One can prevent the attack of SQLI using sanitized inputs, not connecting the application with the database having root access, identifying the level of permission that the application needs, good code practice may help in preventing the user from SQLI’s

WAF – Web Application Firewall

SQL injection attacks can be prevented with the help of a web application firewall (WAF). A WAF serves as a filter between the server and the web traffic. 

A WAF works based on a set of rulesets, the most common type of ruleset used across any WAF is OWASP Top 10 ModSecurity rulesets. StrrongBox IT’s Modshield SB works on the core ModSecurity rulesets, which can avert SQL injections during the time of the attack.

Get a 14-day free trial

Previous Post Next Post

Leave a Comment

Recent Posts

  • SOC 2 Compliance – Complete Guide
  • What is compliance and why do you need it?
  • OWASP WAF – Web Application Firewall
  • Top Cyber News April Week 3
  • Top Cyber News April Week 2

Recent Comments

  1. Vishnu on IEC 62443 – Cybersecurity for Industrial Automation and Control Systems

Archives

  • July 2022
  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • June 2020

Categories

  • Blog
  • CyberNews
© Copyright 2020. Anada WordPres Theme By WordPressRiver