SQL injection vulnerabilities arise when you make database queries insecurely. Simply put, users can view your website’s database by entering a query into the URL or information form. Don’t underestimate SQL injection because it’s inside Top 10 web security vulnerabilities according to OWASP 2020 announcement there.
📢 Join the channel Telegram belong to AnonyViet
Update new articles, cool tools and IT tips fastest
How to exploit SQL Injection vulnerability
The simplest way is to use the SQLi auto exploit tool. I often use it SQLmapbecause according to experience, this is the tool with the best exploitation ability. But the downside is that you have to use commands instead of the interface.
Or you can use tools SQL Dumper has an interface with many features that are easier to set up. If you are new to learning, you can try this tool to exploit the website’s database.
How to prevent SQL injection vulnerabilities?
The best way to prevent SQL injection vulnerabilities is to use a framework that allows you to securely filter input data before sending it to the database. ORM (Object Relational Mapper) is a good option that you should try. For additional layers of security, validate all input and use WAF (Web Application Firewall).
Simple example
Let’s say we have a Java application that allows users to retrieve their documents by ID. I can do it like this:
String query = "SELECT * FROM documents WHERE ownerId=" + authContext.getUserId() + " AND documentName="" + request.getParameter("docName") + """;
executeQuery(query);If the user ID is 25 and the URL is https://www.example.com/documents/?docName=ABC123, the query will be:
SELECT * FROM documents WHERE ownerId=25 AND documentName="ABC123";Still fine, right? But what if the URL is https://www.example.com/documents/?docName=ABC123’OR’1’=’1?
Now I will get the following query that returns all documents of all users (because 1 = 1 is always true):
SELECT * FROM documents WHERE ownerId=25 AND documentName="ABC123" OR '1'='1';So how to avoid this error?
Use Object Relational Mapping
Taking Java as an example, using an ORM such as hibernate to implement JPA (Java Persistence API) might look like this.
First, determine the model.
@Entity
public class Document {
@Id
@GeneratedValue(strategy=GenerationType.AUTO)
private Long id;
private String documentName;
private Integer ownerId;
}Then, define the class repository.
@Repository
public interface DocumentRepository extends JpaRepository {
List findByDocumentNameAndOwnerId(String documentName, Integer ownerId) ;
}Finally, you can use the repository and fetch the documents as follows:
List docs = documentRepository.findByDocumentNameAndOwnerId(request.getParameter("docName"), authContext.getUserId()); The ORM will handle all parameters safely. Now, let’s say you want more control over queries. In that case, many ORMs provide query builders you can use, such as the Hibernate Criteria API.
If you use Python, Django has an equally great ORM; If you don’t use Django, sqlalchemy is a great choice.
PHP has Doctrine. You just need to google to search for ORMs that match the technology you choose.
Warning
ORM frameworks are not 100% perfect.
First, they still have raw SQL query support/query parts. You just need to avoid using those features.
The second is that ORM frameworks often have security vulnerabilities, just like any other software package. So, let’s learn other good practices: validate all input data, use WAF, update packages…
Prepared statements
Prepared statements are a more manual choice and should be avoided because compared to ORM, it has a significantly higher risk of human error. However, this still beats the simple string concatenation method (like the example above). This approach looks like this:
String query = "SELECT * FROM documents WHERE ownerId=? AND documentName = ?";
PreparedStatement ps = conn.prepareStatement(query);
ps.setString(1, authContext.getUserId());
ps.setString(2, request.getParameter("docName"));
ResultSet rs = ps.executeQuery();In theory, this method is quite safe. However, in my experience, as the codebase grows larger, mistakes will start to appear. You only need one mistake to be completely attacked. Cases like arrays (documentId IN (“foo”, “bar”)) are where developers often make mistakes.
So if you decide to use this method, be careful with it as you expand the codebase.
Web Application Firewall
WAF products should not be considered a good SQL injection control. But they are a great additional layer of security and are often quite effective against SQL injection attacks.
A great open source solution is to deploy Apache with ModSecurity CRS in front of your webapp.
Database Firewall
Depending on your database and budget, you may consider trying database firewalls. I have never tried this, but you can also check out the link below, maybe it will help you.
Conclude
SQL injection is a simple injection vulnerability. And like all other security vulnerabilities, you can prevent it by using an appropriate library or framework to build the protocol, in this case SQL.
ORM is more secure than prepared statements. And if you don’t need too much control over the queries, use a lower level ORM often called a query builder. A WAF can add a layer of security, but you should never rely on it for security.
Frequently asked questions
What is SQL Injection and why is it dangerous?
SQL Injection is a security vulnerability that allows attackers to inject malicious SQL code into website database queries. This could allow them to access, edit, or delete sensitive data in your database.
What is the most effective way to prevent SQL Injection?
The best way is to use Object-Relational Mapper (ORM). ORM helps you create safe queries by safely handling input parameters. In addition, validating input data and using Web Application Firewall (WAF) is also important.
Are Prepared Statements safer than direct string concatenation?
Prepared Statements are safer than direct string concatenation when building SQL queries, but they still pose risks if not used properly. ORM is often recommended because of its ease of use and fewer errors.
