A while back, I made a post talking about a Linkedin password dump that let hackers gain access to Mark Zuckerberg’s twitter account. We don’t know how it is that hackers got their hands on the millions of Linkedin passwords, but it got me thinking of a certain type of attack that is much more common than it should be, and one that you should take care of avoiding if you run a web application. This attack is commonly known as an SQL injection (often pronounced “sequel injection”), and it uses something as harmless as your search bar to access the web application’s database.
SQL stands for Structured Query Language and is essentially how most programs talk to databases. It was developed in the prehistoric era of web-computing of 1974 and is actually very good at its job despite its age. It’s a very simple language to use and works very well with different other languages, such as PHP. PHP is an incredibly powerful and intuitive programming language, but unfortunately not the safest. It is one of the most widely used programming languages for web application, with Facebook, Yahoo, and Wikipedia all being at one point coded in it, however, it does not come with any built-in security, and hackers can easily access web applications that are badly built to get information you definitely would not want them to have.
Here’s how it works. A typical SQL query looks something like this:
SELECT ? FROM ? WHERE ? LIKE ‘QUERY‘;
Let me explain what it is I just typed out. Let’s pretend that I own a badly made online store for craft supplies. If I wanted to see the store’s selection of popsicle sticks, I would use its search bar to search for popsicle sticks, and it would give me a result of the name of the item (popsicle stick), the price of the item (12.99$), and the quantity of the item (500). I type in the search query that PHP sends to the site’s database as an SQL query where it selects and item (I don’t know what, hence the question mark) from a table, (again, don’t know what table this will be) where the column (another mystery) is like my query. Hence, I get a result. I can also type in a term like “opsicle stic” to get the result I want which means that there are wildcards on the side making the SQL query look something like this:
SELECT ? FROM ? WHERE ? LIKE ‘%POPSICLE STICK%‘;
As a hacker who doesn’t have access to the back-end code, I can only manipulate what’s in the quotation marks. So, what would happen if I entered just a quotation mark as my search query? If the website isn’t coded against it, the SQL query will look something like this:
SELECT ? FROM ? WHERE ? LIKE ‘%‘%’;
The program assumes the quotation we entered as the query is the ending quotation of the query, and doesn’t know what to do with the last three symbols. This will return an error, even though a product in a craft supplies shop can have a quotation mark in its name, for example, if it was named something like Burt’s Pipe Cleaners. Here’s how a hacker can abuse it. If you add a semicolon, and then a comment sign (two dashes in MySQL, for example) to indicate a comment in the query, it becomes:
SELECT ? FROM ? WHERE ? LIKE ‘%‘;— %’;
Which will ask the database for simply a wildcard, meaning everything. A hacker now can input commands into PHP by using this trick (which, again, can be prevented relatively easily) to access sensitive info. Here’s an example, let’s say the hacker wanted to have a timer on the response a website gives out. If they were trying to access a site that they know uses MySQL, for example, they can make a query of
popsicle stick’ AND 1 = SLEEP(2);–
to make an SQL query of
SELECT ? FROM ? WHERE ? LIKE ‘%popsicle stick%‘AND 1 = SLEEP(2);— %’;
which will make the server wait two seconds for every query found.
Hopefully, this helped you understand just how easy an SQL injection really can be. Just remember that hackers don’t usually go after big targets, it’s much easier to catch a smaller fish that doesn’t care about it’s web app security as much, which could be you.