Database injections (such as SQL injections) occur in an application when the application retrieves data from a user or a third-party service and
inserts it into a database query without sanitizing it first.
If an application contains a database query that is vulnerable to injections, it is exposed to attacks that target any database where that query is
used.
A user with malicious intent is able to modify the existing query to change its logic to a malicious one.
After creating the malicious request, the attacker can attack the databases affected by this vulnerability without relying on any
pre-requisites.
What is the potential impact?
In the context of a web application that is vulnerable to SQL injection:
After discovering the injection, attackers inject data into the
vulnerable field to execute malicious commands in the affected databases.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Identity spoofing and data manipulation
A malicious database query enables privilege escalation or direct data leakage from one or more databases. This threat is the most widespread
impact.
Data deletion and denial of service
The malicious query makes it possible for the attacker to delete data in the affected databases.
This threat is particularly insidious if the
attacked organization does not maintain a disaster recovery plan (DRP).
Chaining DB injections with other vulnerabilities
Attackers who exploit SQL injections rely on other vulnerabilities to maximize their profits.
Most of the time, organizations overlook some
defense in depth measures because they assume attackers cannot reach certain points in the infrastructure. This misbehavior can lead to multiple
attacks with great impact:
- When secrets are stored unencrypted in databases: Secrets can be exfiltrated and lead to compromise of other components.
- If server-side OS and/or database permissions are misconfigured, injection can lead to remote code execution (RCE).
