What is SQL injection? And what is SQL?
Before we get into the injection part, let’s first clear up exactly what SQL is. Developed in the 1970s, SQL stands for “Structured Query Language,” and it’s since become the standard language for database management. If a website needs to access the database on its server to find or edit information, it uses SQL to handle that “query” or request.
SQL is a broad and flexible language that gives database designers a ton of possibilities. Most designers create databases with their own unique set of SQL rules to best suit their particular needs. You can’t simply copy and paste one database’s SQL onto another, because those databases may have been built in two completely different ways.
So, where does the injection part come in?
If a web developer isn’t careful, they might build their site in such a way that a malicious actor can cause unintended effects in its database. This is how SQL injections (or SQLI) happen. The hacker inputs, or injects, malicious SQL code — a form of malware known as the payload — on the website and fools it into delivering that code to its database as a legitimate query.
Hackers use SQL injection attacks to get inside a website’s database. They may simply hope to cause havoc by deleting data, or they may seek to edit the database, especially if financial websites are targeted.
SQL injection attacks are possible only when a website lacks sufficient input sanitization — the process of ensuring that any end-user input cannot slip through the cracks and function as executable code on the server side. That requires more work from the developer, but ultimately protects against SQL injection, cross-site scripting, and other types of website attacks.
What do SQL injection attacks do?
Hackers use SQL injection attacks to get inside a website’s database. They may simply hope to cause havoc by deleting data, or they may seek to edit the database, especially if financial websites are targeted. Once the hacker has database control, it’s easy for them to mess with people’s account balances and funnel money into their own account.
But often, the cybercriminal is after the website’s stored user data, such as login credentials. They can then use this data to perform actions on behalf of the affected users, or compile their compromised logins into a larger list to sell to other cybercriminals on the dark web. People buying this stolen information often do so to commit identity theft and fraud.
How does an SQL injection attack happen?
If a website isn’t thoroughly sanitizing inputs, a hacker can inject their own SQL code. Then, the website delivers the hacker’s code — the payload — to its server. Once the hacker’s payload reaches the website’s database on its server, it springs into action and affects the database to fulfill the hacker’s goals.
Hackers use SQL injection attacks to get inside a website’s database.
Here’s how to SQL inject — don’t try this at home!
SQL injection via user input
SQL injection via user input is the simplest way to conduct SQL injection attacks. Tons of websites collect user input and pass it on to the server. If you’ve ordered something online and filled in your address, that counts. The same goes for a comment section or user reviews. Without strong input sanitization, a fillable form or comment box is a glaring SQL injection vulnerability.
Instead of filling out these forms with standard answers and content, hackers using SQL injection take another path — they’ll enter a string of SQL code. When a website with poor input sanitization submits the form’s content to its server, the hacker’s code executes. That’s how SQLI allows hackers to steal user data or disrupt a website’s operations.
As a real-life example, consider a situation in which a person is applying for a job. The applicant’s name is Bob Alice, but on his application, he writes “Hire Bob Alice.” When the hiring manager reads the name of the applicant out loud, the HR team hears them say “Hire Bob Alice,” and so they send Bob an official job offer.
Instead of giving his real name, Bob submitted an SQL payload that, when executed by the database — the hiring manager — results in Bob getting the job.
SQL injection via cookie modification
Cookies are small files that live in your browser and give websites information about you. Sometimes they’re helpful, such as when they conveniently recall your login credentials and preferences. Other times, they’re creepy — lots of sites use cookies to track your behavior across the internet as well as on their pages. They use insights gained through tracking for market research and advertising purposes. This second type of cookie is a common web tracking tool.
Cybercriminals can manipulate or “poison” cookies so that when they send information back to the website’s server, they deliver SQL code into the database.
SQL injection via server variables
When you enter a website’s URL into your browser, there’s a rapid sequence of communications that occurs to bring that site to you. As part of this process, your browser requests a list of information known as “server variables” that help it render the site properly.
Clever hackers can slip SQL code into browser’s requests, which if not properly sanitized will then be injected into the website’s database on the server.
SQL injection via automated hacking tools
If all this sounds too complicated, there’s an easier option out there. Automated SQL injection tools like SQLMAP will detect and exploit any SQL injection vulnerabilities present in a given website and its database.
sqlmap is an open-source tool that’s popular with database managers and website developers seeking to patch their sites against SQL injection. But there’s nothing stopping someone from using sqlmap for more malicious reasons.
Second-order SQL attacks
Second-order SQL injection takes the technique up a level with a much more sophisticated approach. Since many websites sanitize against direct user input, hackers will inject SQL that’s designed to execute only on subsequent visits. With basic input-sanitization countermeasures in place, the target website would block a normal SQLI attack — otherwise known as a “first-order” attack. But a second-order SQL injection attack is a time bomb. Here’s what happens:
A hacker will inject a bit of code to the database that, on its own, does nothing. But this code is designed to alter the way the database functions when it interprets that code as a database entry. So when the database’s SQL includes the hacker’s code into its own functions, the attack is triggered.
To illustrate this concept, let’s turn to one of literature’s classics: the Homeric epic The Odyssey. During the story, the hero Odysseus is captured by a cyclops named Polyphemus. As part of his escape plan, Odysseus gets Polyphemus drunk. When Polyphemus asks his name, wanting to thank him for the wine, Odysseus answers that his name is “No Man.”
That’s the first stage of a second-order SQL attack: the crafty hacker Odysseus injects the seemingly benign SQL payload “No Man” into Polyphemus’s database.
Later, Odysseus blinds Polyphemus. The enraged cyclops runs to tell his brothers that he was tricked and blinded by “No Man.” In response, they all laugh. Instead of getting his revenge, Polyphemus is humiliated, and Odysseus is able to escape.
That’s the second stage. The SQL payload “No Man” is harmless on its own, but when Polyphemus (the database) attempts to use it, the attack reveals itself.
Because it’s undetectable at first, second-order SQL injection is an indirect and effective way for cybercriminals to leapfrog over basic input-sanitization procedures.
Real-life SQL injection attack examples
Several high-profile SQL injection attacks have targeted websites, organizations, and governments in recent years, causing major disruption and, in some cases, serious data breaches.
Here are some of the most important recent SQL injection examples:
SQL injection breaches
HBGary (2011) — Hackers linked to Anonymous used SQL injection techniques to take down the website of cybersecurity company HBGary after the CEO claimed to possess personal data relating to Anonymous activists.
GhostShell attack (2012) — A shadowy group known as GhostShell waged a SQL injection campaign that impacted 53 universities and resulted in the leak of tens of thousands of student, faculty, and staff records.
Turkish government (2013) — This particularly audacious SQL injection attack breached a Turkish government web portal and erased debt records for utilities such as water, gas, and electricity.
Flaticon (2020) — A hacker collective launched an SQL injection attack on the Flaticon website to steal the email addresses and passwords of 8.3 million Flaticon and Freepik users.
SQL injection vulnerabilities
Tesla (214) — White hat penetration testers discovered they could gain admin access to Tesla’s website using SQL injection, and access sensitive customer data.
Cisco (2018) — A hastily-patched SQL injection vulnerability in Cisco’s software enabled potentially malicious access to shell systems.
Fortnite (2019) — The enormously popular online game was rocked by the discovery of a Fortnite SQL injection vulnerability that could have compromised over 350 million user accounts.
MOVEit Transfer (2023) — Multiple SQL injection problems with the potential to allow unauthorized database access were uncovered by MOVEit software developers and patched.
The impact of SQL injection attacks
SQL injection attacks can have a wide range of consequences. A single SQLI attack can have devastating effects on individual victims as well as the targeted business or company.
SQLI effects for individuals
While SQLI won’t target you directly, if you use a website that’s been targeted by an attack, the impact could be considerable. Having an account with or submitting personal data on a targeted website can allow hackers to do a lot more than just get their hands on your personal data.
SQL injection attacks can have severe consequences for individuals, such as:
-
Loss of money: A hacker can use SQLI on a bank or other financial institution to transfer money out of your account.
-
Identity theft: With control over a database, hackers can capture its data and sell it on the dark web. Other cybercriminals can then purchase this data and use it to commit identity theft.
You can insulate yourself against potential identity theft attacks with Avast BreachGuard, which monitors the dark web for your data and will warn you if any websites you use have been compromised in hacks or other security attacks.
SQLI effects for businesses
Since businesses are the direct targets of SQLI attacks, they face a much wider array of threats. When a hacker gets into a database, they can do any number of things — and once this news becomes public, the targeted business can look forward to plenty of PR damage control.
Here are just a few of the ways SQLI attacks can harm businesses:
-
Sabotage: By wiping a business’s database or vandalizing its website, a hacker can easily send a business spiraling into chaos.
-
Data theft: Many SQLI attacks aim to steal confidential data — trade secrets, insider information, protected intellectual property, and often user or customer information.
-
Security breaches: A hacker may be able to use the contents of a breached database to access other areas of a company’s internal network. Eventually, the entire network may become compromised.
-
Loss of reputation: After suffering the effects of an SQLI attack, it can be difficult for a business to regain the trust of its customers and the greater public.
Potential costs of SQLI attacks
Given the scope of what a hacker can achieve with SQLI, the potential costs can be substantial. A study conducted back in 2014 found that even minor SQL injection attacks can cost around $200,000 to resolve — and that’s just the financial ramifications.
An Ars Technica article published the same year reported that the US Navy spent over half a million dollars in their response to a single SQL injection attack. And, as a result of the attack, over 70 service members were unable to proceed with pending transfer requests for several months.
In addition to the financial costs of dealing with an attack, the long-term damage done to a business’s reputation may be irreversible.
How can I prevent SQL injection attacks?
Unless you’re a web developer, you can’t. SQL injection doesn’t target you directly, so there’s no way for you to detect, counter, or block an attack. And you won’t know if you’re using a compromised site until the effects reveal themselves later.
Preventing SQL injection attacks is the responsibility of those who maintain the websites you use. But you’re not completely powerless when it comes to fighting SQLI. Start right now by heading over to our free Avast Hack Check tool to see if any of your website login credentials have been leaked. If so, change your password on that site immediately.
Use Avast Hack Check to find out if any of your login credentials have been leaked.
Since many SQL injection attacks are used to steal user data, Hack Check is one way to reduce your risk if your data is ever caught up in one.
So, how can I avoid SQL injection?
While you can’t prevent SQL injection attacks from taking place, you can reduce your chances of being affected and mitigate the effects if you do ever get caught by one. Make the following safe browsing habits part of your internet routine:
-
Don’t give your personal info to shady websites. Instead, ensure that you’re entering sensitive data only on trusted websites that have strong security measures in place. Even this isn’t a foolproof guarantee that you’ll avoid getting caught by SQL injection, but it’s a start.
-
Stay abreast of tech security news. Companies will announce if and when their databases are breached by hacking attacks. Stay aware of any news regarding the websites you use, and if you come across an SQLI story, change your login credentials ASAP.
-
Practice good password habits. You can reduce your risk by using unique passwords for every account you have. Follow good password-creation practices to stay a step ahead of the hackers.
-
Use a password manager. Many password managers will alert you if a website you use has been compromised. If so, you’ll be able to quickly change from one unique, hard-to-crack password to another. Get a manager that provides cross-platform functionality so you can have your passwords on all your devices.
-
Use antivirus software. A reliable antivirus tool can protect your device against a wide range of threats, including malicious websites.
Get comprehensive digital security with Avast One
Your browser isn’t going to know if you’ve visited a website compromised by SQL injection, but you don’t have to act alone in the ongoing battle against cybercriminals. It’s time to call in the cavalry.
Avast One equips you with real-time cybersecurity on multiple fronts to protect you against all kinds of online threats. It’ll fortify your network with a firewall and monitor your device for vulnerabilities including outdated software, suspicious apps, phishing attempts, and of course, any traces of malware.
Take your digital security to the next level with the antivirus provider trusted by over 400 million users worldwide.