SQL injection

SQL injection is technique of inserting nefarious SQL statement into the input field by attacker to a web application for execution (e.g. to dump the database contents to the attacker). 

SQL injection attacks allow attackers to spoof identity, tampering of data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrator of database server.

It is considered as one the top 10 web application vulnerabilities by 2007 and 2010 by the OWASP and rated the number one attack on the OWASP top ten in 2013.

The sub-classes of SQL injections are:

1. In-band or Classic SQL Injection

2. Inferentital or Blind SQL Injection

3. Outband SQL Injection

(I). Classic SQL Injection: It is most common and easy to exploit Injection attacks. This occur when an attacker is able to use the same communication channel to both launch the attack and gather result.

There are two types of classic SQL injection techniques:

Error-Based SQL injection: This technique relies on the error message thrown by the database server to obtain information about the structure of the database.

Union-Based SQL injection: Union attack allow attacker to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, attacker craft a SELECT statement similar to original query.

(II). Blind SQL Injection: It may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In this no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band. Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application's response and the resulting behavior of the database server.

There are two types of Blind SQL injection techniques:

Boolean-based Blind SQL Injection: That relies in sending SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow since attacker would need to enumerate a database, character by character

Time-Based Blind SQL: It release on the SQL query to the database which forces database to wait for a specified amount of time before responding. The responding time will indicate to the attacker whether the result of query is true or false.

Depending on the result, an HTTP response will be returned with delay, or returned immediately. This allows an attacker to infer if the payload used returned TRUE of FALSE, even though no data from the database is returned. This attack is typically slow since an attacker would need to enumerate a database character by character.

(III). Out of Band SQL Injection:

Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.