2. SQL Language:
“SQL” stands for Structured Query Language, It is a
programming language used to manage databases. In
essence, it's used when a website needs to call up a piece
of information from its database, either to process it or
present it to a user.
3. SQLi:
SQLi stands for Structured query language injections. SQL
is used to execute query against database to retrieve data
from it. The malicious insertion attack on database that
uses SQL code to access information that is not intended
to be displayed is known as SQL injection.
6. Working explained:
Whenever you try to login into your account on any
website it literally sends query to database asking if there
is any user ‘abc’ with password ‘xyz’ registered in the
system? and if data matches to database content, you’re
authorized access.
8. Note:
Note that single quote character is part of SQL syntax and not typed by the
user.
9. What SQL injections can do?
Identify software and version information.
Determine hardware version.
Get a list of database tables.
Create new system admin accounts.
Delete existing accounts.
Steal or manipulate user’s login information and other confidential data.
It allows hacker to play upon security flaws (vulnerabilities) of a website and
perform data breaches.
It can also get access to credit card numbers and passwords from unprotected
sites which leads to other cybercrimes like credit card fraud or identity theft
etc.
10. SQLi Facts:
Over 15 years after it was first publicly disclosed, SQL
injection is still the number one threat to websites.
In 2012 a representative of Barclaycard claimed that 97%
of data breaches are a result of SQL injections.
Even the official United Nations website in 2010 fell
victim to a SQL injection attack.
11. Preventive measures:
Often in our lives we have listened to this common saying:
“Prevention is better than cure”
And so it is. There are many preventive measures we can probably take
in order to save ourselves from the hazards of SQL injections.
We can offer penetration testers to test flaws in our website or
software.
We may ask white hat hacker, to find vulnerabilities in our system and
amend them.
One easy and quick way to check if your websites and web
applications are vulnerable to SQL Injection is by scanning them with
an automated web application security scanner such as Netsparker.
And then you may cover up security lapses in your system.
12. Preventive measures:
Use NoSQL database systems such as MongoDB or CouchD, instead
relational SQL database.
An other step could be to input validation (a.k.a. sanitization), which
is the practice of writing code that can identify illegitimate user
inputs.
A web application firewall (WAF) is also commonly employed to filter
out SQLI.
13. Further Info:
There are many tutorials available on youtube about “How to perform
SQL injections”.
You may want to Check out following:
SQL injection-Step by Step by Neo.
( https://www.youtube.com/watch?v=fzIbCHI739s&pbjreload=10 )
SQL injection explained by 7safe.
( https://www.youtube.com/watch?v=PB7hWlqTSqs )