Preventing SQL Injectionsby Bethany Hendricks on Security • February 18, 2021
What is SQL Injection?
An SQL injection is a cybersecurity term referring to the exploitation of a bug on a website, that allows an attacker to run malicious SQL statements (commonly referred to as a malicious payload) on your database server.
These attacks can have many purposes:
- They can be destructive, e.g. by deleting your data
- They can leak private information to attackers
- They can be used to attack your clients.
A SQL injection is the most prevalent means of attacking a web application today with an estimated 32% of web applications today being vulnerable. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. This allows an attacker to insert a malicious payload that will be included as part of the SQL query and run against the database server.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”
# Execute the SQL statement
Above is an example of a simple script used to authenticate a user with a username and password against a database using a table named users and a username and password column. This script is vulnerable to SQL Injection because an attacker can submit malicious input that would alter the SQL statement being executed by the database server.
A classic example of an SQL Injection payload is the simple password’ OR 1=1 argument.
By running the below query we are saying: “select the ID from the users table where the username is ‘username’ and the password is ‘password’ OR if 1 is equal to 1".
Of course 1 is always equal to 1 so the query will return as ”TRUE” .
SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’
Once the query executes, the result is returned to the application to be processed, resulting in an authentication bypass logging the attacker in with the first account from the query result (usually of an administrative user).
What are the types of SQL injection?
The two primary types of SQL injections are:
IN-BAND / CLASSIC: Whereby attackers insert a query that runs something, or fetches information and gives it to us.
BLIND INJECTION: Attackers use a Boolean approach to tell if something is true, or if a command can be run.
Does Snapt protect against SQL injection?
A web application firewall (WAF) operates on HTTP and HTTPS traffic, ensuring it is free of threats to your users and your servers. It decides what traffic to let through, and what to block.
- Intelligent scanning of HTTP/S requests as they come through the WAF
- Rate and session limiting to protected locations and servers
- Blacklisting, whitelisting, shared blacklists, GeoIP, etc
Snapt Nova includes an advanced WAF that protects against SQL injection and the OWASP Top 10 vulnerabilities.
Do I need a WAF?
You need a WAF to protect your website or application against threats. Examples include 0-day exploits, exploits in your own application, outdated applications, and more. No system is ever foolproof. Web firewalling is about adding another layer of protection to business-critical functionality and makes up an important part of PCI security standards.