SQL Injection (SQLi) is a popular attack vector that makes it possible for an attacker to perform malicious SQL statements for backend database manipulation or restrict the queries that an application makes to its database. Attackers take advantage of SQL Injection vulnerabilities to bypass login and other application security procedures. In simple words, SQL Injection permits an attacker to access data that they would normally be unable to recover. This data may comprise a few items, such as private details about a client, sensitive company data, or user lists.
An SQL Injection attack is based on an “injection” or insertion of a SQL query through input data from the customer to the application. SQL Injection is typically recognized as an attack vector for websites; however, it can be exploited to attack any number of SQL databases. The actions of a successful SQL Injection exploit can access delicate information from the database, amend the data from the database (Insert, Modify, and Delete), retrieve the content of a specified file available on the DBMS file system, become administrators of the database server (including shutting down the DBMS), and in some situations, send commands to the operating system.
Simply, a successful SQL attack can be carried out through the following methods :
* Adjusting or compromising data
* Exfiltrating or pinching data
* Sidestepping authentication
* Changing database permissions
* Removing data
* Running arbitrary code
Based on Akamai’s report, it was demonstrated that SQL Injection currently represents about
65.1 percent (almost two-thirds) of all web application attacks. This is
44 percent above the web application layer attacks represented by SQLi in 2017. Many web applications have SQL Injection vulnerabilities, indicate the fairly limited attention given to the security application development phase.
Source : Eccouncil
