SQL injection explained – OWASP Top 10 vulnerabilities
Welcome to this new episode of the OWASP Top 10 vulnerabilities course, where we explain in detail each vulnerability. In this blog post, you will learn SQL injection.
This is a subset of the OWASP Top 10 injection vulnerabilities. If you’d like to have a bigger picture of Injection, I invite you to read this blog post before continuing.
What is SQL injection?
This vulnerability happens where the application processes malicious user input to query a SQL database. A n example would be the login feature of an admin portal. In fact, a vulnerable piece of code could be as follows:
userEmail = getParam("emailParameter");
userPass = getParam("passParameter");
sqlQuery = "SELECT * FROM users WHERE email = '" + userEmail + "' AND pass ='" + userPass + "'";
If sqlQuery{
accessAdminDashboard();
}
The code above expects two user inputs, an email and a password. Then, it constructs a SQL query by concatenating the email and password. From there, if the result is not empty, the application allows the user to access the administration dashboard.
The idea is to construct a valid SQL query while bypassing the password protection. If we try the payload ‘ or 1=1;– in the email input and dummy in the password, the resulting SQL query would be:
SELECT * FROM users WHERE email = '' or 1=1;-- ' AND pass=dummy'
It is a valid SQL query which always returns true since 1 is always equal to 1. Besides, the double dashes comment out the rest of the SQL query. The result will pass the check and give us admin access without knowing neither the email nor the password.
You can practice SQL injection by going to the SQL injection hands-on examples blog post.
SQL injection attacks
This vulnerability is really impactful. I mentioned the TalkTalk’s breach on the OWASP Top 10 Injection blog post, which should give you an insight into how serious SQL injection could be. The following is a list of publicly available reports which bug bounty hunters reported on HackerOne. I’ll invite you to read my write-up, which I found on a private HackerOne program. So, make sure to subscribe to the newsletter to be notified.
- $4000 bug report: It is a well written report on an error-based SQL injection which affected Starbucks.
- $2000 vulnerability report: It is a blind SQL injection vulnerability that the ethical hacker found on labs.data.gov.
- Blind injection affecting the US Department Of Defense.
How to exploit SQL injection manually?
The first thing is to determine if it is an error or blind based injection.
Error based SQL injection
The most basic test is to trigger an exception by injecting either single or double quotes, unless there is some protection filter in place. From there, just rely on the errors and try to either get unauthorized access or read sensitive data. There is a detailed blog post about this approach in the SQL injection practical examples.
Blind SQL injection
If the application doesn’t return any errors, try to provoke a time delay using a sleep. If it doesn’t work, try to spot any difference in the HTTP response between a SQL query which returns true and another which returns false.
As an ethical hacker, be very cautious when manipulating the SQL query! You should avoid altering or deleting data unless explicitly permitted by your client. Losing data can lead to serious business losses and will harm your reputation.
How to exploit SQL injection using automated tools
You can use automated testing once you find a vulnerability manually. Alternatively, you can use automated scanners to speed up your testing process if you have a large number of user inputs. You can use either OWASP Zap, Burp Suite or Sqlmap to test for this vulnerability automatically. I cover each one of them in this hands-on OWASP Top 10 training.
How to prevent SQL injection?
As it turns out, fixing this highly impactful security vulnerability is extremely simple. As a developer, the most effective and primary protection against this deadly vulnerability is to use prepared statements. This OWASP SQL injection Prepared Statements Cheat Sheet explains how to use it in all major programming languages.
Another approach would be to use stored procedures, where the SQL queries are stored on a database and no user input is dynamically inserted into them.
You can also use a whitelist to control parts of your SQL query before executing it. For example, if you search a store by category, you may want to validate that the category parameter is included in a list of whitelisted categories. If successful, then you run the SQL query. However, I wouldn’t recommend it as a primary defense. You can use it as a secondary defense mechanism.
Another secondary defense would be to apply protection filters which would sanitize and escape the user inputs. However, this can be bypassed.
You can find more on this topic on the OWASP prevention Cheat Sheet.
SQL injection common filters bypass
To prevent SQL injection, developers use common filters to check user input. Unfortunately, they can be bypassed. Whether you are As a developer or an ethical hacker, you should be aware of them. So please take your time understanding the idea behind these filters, this will enrich your skills whether you are a developer or an ethical hacker.
That’s it for today! Hopefully you’ve learnt a lot during this episode. If you enjoyed learning from this content, make sure to subscribe to the newsletter. I update all the subscribers on each Friday.