An SQL injection is a broad term referring to the exploitation of a bug on a website, that allows an attacker to run malicious SQL statements (commonly referred to as a malicious payload) on your database server. These attacks can have many purposes:
- They can be destructive, e.g. by deleting your data
- They can leak private information to attackers
- They can be used to attack your clients.
A SQL injection is the most prevalent means of attacking a web application today with an estimated 32% of web applications today being vulnerable. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement, “It’s about breaking out of the datacontext and entering the query context.” This allows an attacker to insert a malicious payload that will be included as part of the SQL query and run against the database server.
# Define POST variables uname = request.POST['username'] passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” # Execute the SQL statement database.execute(sql)
Above is an example of a simple script used to authenticate a user with a username and password against a db using a table named users and a username and password column. This script is vulnerable to SQL Injection because an attacker can submit malicious input that would alter the SQL statement being executed by the db server.
A classic example of an SQL Injection payload is the simple password’ OR 1=1 argument.
By running the below query we are saying: “select the ID from the users table where the username is ‘username’ and the password is ‘password’ OR if 1 is equal to 1. Of course 1 is always equal to 1 so the query will return as ”TRUE” .
SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’
Once the query executes, the result is returned to the application to be processed, resulting in an authentication bypass logging the attacker in with the first account from the query result (usually of an administrative user).
The two-primary means of SQL injections are:
IN-BAND / CLASSIC: Whereby attackers insert a query that runs something, or fetches information and gives it to us.
BLIND INJECTION: Attackers use a Boolean approach to tell if something is true, or if a command can be run.
How does the Snapt WAF protect you?
A web application firewall operates on HTTP and HTTPS traffic, ensuring it is free of threats to both your users, and specifically your servers. It decides what traffic to let through, and what to block.
- Intelligent scanning of HTTP/S requests as they come through the WAF
- Rate and session limiting to protected locations and servers
- Blacklisting, whitelisting, shared blacklists, GeoIP, etc
Who should consider a WAF?
You are wanting to protect yourself against unknown or unanticipated threats. Examples include 0-day exploits, exploits in your own application, outdated applications, and more. No system is ever foolproof. Web firewalling is about adding another layer of protection to business-critical functionality, and makes up an important part of PCI security standards.