SQL injection (SQLi) is a frequent topic on this blog – it refers to an injection attack that allows an attacker to execute malicious SQL statements that allow the attacker to control a web application’s database server.
Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.
An attacker taking advantage of an SQLi vulnerability is essentially exploiting a weakness introduced into the application through poor web application development practices. This allows attackers to send SQL commands to the web application, allowing them to gain unauthorized access to data held in the backend database.
By leveraging an SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete records in a database, affecting data integrity.
To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.
While SQLi is mostly used to steal data from the database, the vulnerability can be escalated further, especially if the permissions on the database are not correctly configured. For example, the attacker can inject a query that causes some tables to be deleted from the database, effectively causing a DoS attack.
An attacker can also potentially deploy a web shell onto the server and subsequently take over the server, and even pivot into other systems as a result of SQLi.
So, we established SQLi is a major threat to any web application not properly handling user input to SQL statements to the database, but how common is the vulnerability?
In our latest Web Application Vulnerability Report we registered a 3% drop in SQL injection from the previous year. The fact that SQL injection is slowly receding is good news for defenders — it means that all the effort poured in by educators in the field is starting to bear fruit. This being said, at 23% of sampled targets being vulnerable to SQLi, we are certainly nowhere near casting it away into the history books.
This post contained excerpts from the 2016 Acunetix Web Application Vulnerability Report. For more stats and coverage on web application vulnerabilities in 2016, download the report for free.