What is an SQL injection cyber-attack?

An SQL injection could cause significant damage to your computer systems and cost your business thousands. Here is how they work and how to guard against them.

What is it?

A Structured Query Language (SQL) injection is a type of injection attack where malicious code is used to corrupt your systems.

An SQL attack is when a hacker uses SQL commands to access and interfere with your businesses databases.

For example, in 2019 a SQL vulnerability was detected in the duplicate page WordPress plugin leaving over 800,000 websites exposed.

SQL injections (SQLi) can be used to target websites that use an SQL database and then:

  • Edit or delete your data
  • Retrieve hidden data that should be inaccessible e.g. customer data

Some of the most common include:

  • Oracle
  • MySQL
  • SQL Server
  • SQLite
  • MongoDB
  • PostgreSQL

So, if your business uses any of these databases, for example if you take online bookings on your website and store them this way, you’ll need to take stringent prevention measures to ensure they’re not susceptible to a cyber-attack.

Businesses that fall prey to an SQLi attack have to face significant reputational damage and loss of trust, especially if the personal information of their customers is compromised.

How do SQL injection attacks work?

An SQL injection works by hijacking an SQL database lookup to perform unauthorised functions.

This is usually when websites incorporate user inputs, for example your website login credentials, into an SQL query.

When it’s working as intended, the details your users type in are added to the SQL query and used to search the database for matching login records.

During an SQLi attack, the cyber-criminal uses this input to alter the SQL query by using another SQL command to gain access to the information stored in the SQL database.

Doing this can not only compromise the data stored in the database but reveal admin details and grant full access to the website and other privileged information the business owns e.g. customer CRM records stored in your database.

How big a problem is it?

If your business stores data using an SQL database, then you could be at risk of an attack. Hackers can target business of any size and in any industry.

The Open Web Application Security Project (OWASP) views SQLi attacks as one of the biggest risks to web application security. Some high-profile attacks include:

  • 2012 Yahoo Voices attack: Over 450,000 Yahoo! account details were stolen following an SQL attack in July 2012.
  • 2015 TalkTalk attack: The personal details of 156,959 TalkTalk customers were stolen in October 2015. The attack led to the telecoms giant being hit with a record £400,000 fine by the ICO.

The risk is heightened by the fact that the data under threat is often sensitive, for example financial records e.g.

SQLi attacks are such a big problem for businesses of all sizes that many now offer a reward to ethical or white hat hackers who help them identify any vulnerabilities.

For example, in April 2019 Starbucks paid a $4,000 reward after an ethical hacker spotted a SQLi vulnerability that could have exposed the businesses financial records.

Types of SQLi attacks

There are several different types of SQLi attacks, and they all work slightly differently:

  • In-band SQLi: This is where the attacker uses the same communication channel to both launch and gather the results of their attack. It is one of the most common SQLi attack methods and there are two main types, Error-based and Union-based.
  • Inferential SQLi (Blind SQLi): This is where the attacker sends commands to observe the response from the database but cannot see the data in the response itself. This type of attack takes longer but can still compromise your database. The two main types of blind SQLi attacks are called Boolean-Based and Time-Based SQLi.
  • Out-of-band SQLi: This is where the attacker cannot use the same channel to launch an SQLi attack and get the results back. This type of attack is less common and relies on certain features being enabled on the database server for it to work.

While these SQLi attacks all work differently, the result of a successful attack will be the same – compromised private user and business data.

Guarding against SQLi attacks

SQLi attacks target specific vulnerabilities in your website, so there are steps web developers can take to remove these weaknesses.

Sanitising the user input areas of your website or application can help improve the security of your user inputs, you should consider:

  • Using parameterised queries: this is where you specify the structure of user SQL queries and user inputs are then assigned to one of these predefined structures. You can read more about how to do this on the MYSQLTips website.
  • Remove potentially malicious code elements: Certain code elements, for example single quotes, can leave your database at greater risk of SQLi attack, removing these elements from your code can help reduce your vulnerability. You can find out more about how to do this on the Acunetix website.
  • Apply updates and patches as they’re released: If any SQL vulnerabilities are found in applications or software they’re often fixed by updates or patches. Always try to keep on top of any updates, or consider a patch management tool to help you do this.

If you’re unsure whether your business is vulnerable to an attack there are opensource tools you can use to test your website. Some tools you could consider include:

  • Havijj
  • SQLmap
  • jSQL

You can find more help and advice for guarding against SQLi attacks on the Berkeley and eSecurity websites.

Protect your business with the right cyber cover

Even if we take the best precautions, the risk of falling victim to an SQLi attack isn’t one most businesses can eliminate entirely.

This is where having the right protection should the worst happen can make a big difference.

The right cyber insurance cover can offer invaluable support and financial protection should your business be hit by a successful SQLi attack.

You can read our guide on how cyber insurance works for a closer look at how it can protect your business, and how much does cyber cover cost for a look at the price of a decent policy.

SQL FAQs

It stands for Structured Query Language.

Yes, the 1990 Computer Misuse Act makes unauthorised access to computer material a criminal offence.

There are lots of online assessment tools that can help test whether your website has any obvious vulnerabilities, you can find a helpful list of the top services on the DNSStuff website.

If you want an in-depth assessment of your security measure you may need to pay for a security firm to carry out a full review of your business.

They can be because some apps use SQL databases like SQLite, so can be susceptible to attack in a similar way to a website using an SQL database.

Yes, a comprehensive cyber insurance policy should include cover against an SQL attack, providing there has not been any negligence or collusion by the policy holder.

Martin Lane
Written by Martin Lane, Head of Content
Martin is an experienced writer in the financial services sector previously serving as Managing Editor at money.co.uk with regular guest slots on BBC Radio 4 and featured in the national press.

Cyber insurance buying guide for SME’s

2020

BUYING GUIDE FOR CYBER INSURANCE

Free for a limited time