SQL Injections: Attacking the Heart of Your Site

Tobias Schüring Last updated 15.01.2020
6 Min.
SQL injections

Beside Brute Force attacks there are again and again WordPress SQL Injections appear on the list of the biggest dangers for WordPress sites . These are relatively easy manipulations of the database of your sites . This is how hackers get sensitive data or set up admin accounts for themselves and can manipulate your site at will. We show how the attack works and why it is so dangerous.

March 2008: Hackers (including a real mastermind, by the way) obtain 134 million credit card details from the American company Heartland Payment Systems. Mid-2016: Suspected Russian hackers gain access to the database of registered voters of the Illinois State Board of Elections. Similar thing happens in Arizona. February 2017: Data from 65,000 user accounts is stolen from the American gun seller Airsoft GI. March 2017: Suspected Chinese hackers obtain the personal data of 4,000 customers of a Korean app and send text messages, some of them obscene, to the victims.

All these attacks have one thing in common: behind them is a relatively easy-to-execute hack called SQL injection. In this attack, hackers gain access to the database and thus to all user data of a site . In fact, SQL injections are therefore considered one of the greatest dangers for website operators. Also and especially for webmasters who mainly work with WordPress .

And since, at the latest since WooCommerce , especially larger and more complex shops can be operated without any problems with WordPress , it is important to understand the risk of WordPress SQL Injection and how it works.

How "dangerous" are WordPress SQL Injections?

The question of the "dangerousness" of a WordPress hack cannot be answered in terms of a single indicator. Rather, one must consider at least two aspects: On the one hand, the probability with which one's own WordPress -WordPress -project can fall victim to such an attack, as well as the damage that a hack can cause.

With Brute Force attacks, for example, the number of attacks per month is so high (in some cases over 1 billion measured attacks + estimated number of unreported cases) that one can actually say that every WordPress -WordPress - project is sooner or later targeted by such an attack. The damage that can be caused by a successful hack is manifold. In most cases, Brute Force attacks also serve to hijack websites and integrate them into a botnet. Cross-site scripting, on the other hand, occurs much less frequently, but is primarily used to infect websites with malicious code.

The non-profit organization Open Web Application Security Project (OWASP) regularly publishes a top 10 list of the biggest security risks for web applications. And SQL injections consistently occupy first place here, even on the (albeit preliminary) list for 2017.

This is a graphic of the top 10 list of the biggest security risks for web applications regularly published by the non-profit organization OWASP. SQL injections occupy first place here.
The non-profit organization OWASP regularly publishes a top 10 list of the greatest security risks for web applications. SQL injections regularly occupy first place here.

In fact, SQL injections are here to stay. The hack has been around for more than 15 years. And according to Akamai's State of the Internet Security Report for 2017, the frequency of SQL attacks has increased 28 percent since the first quarter of 2016. In the first quarter of 2017, SQL injections represented the most common hack, accounting for 44 percent of attacks. 

This illustrates that in the first quarter of 2017, SQL injection was the most common hack, accounting for 44% of attacks.
In the first quarter of 2017, SQL injection represented the most common hack, accounting for 44% of attacks, according to Akamai's 2017 State of the Internet Security Report.

Wordfence, manufacturer of a security software for WordPress , comes to the conclusion that SQL injections pose a great danger especially for WordPress users. An analysis of nearly 1,600 security vulnerabilities in Plugins reported over a 14-month period clearly shows that SQL injections are the second most common security risk ever for WordPress sites .

The graph clearly shows that SQL injections are the second most common security risk of all for WordPress sites  .
The graph shows that SQL injections are the second most common security risk of all for WordPress sites .

With all these numbers you have to keep in mind that the number of unreported cases is much higher - SQL attacks are often not even noticed and do not appear in any statistics.

The numbers show that WordPress SQL Injections after Brute Force attacks and XSS vulnerabilities are among the most common types of attacks. In addition, SQL injections target a particularly sensitive area of your site : your database. Especially for shop owners these hacks are an existential threat. Therefore, it is important to understand how they work and what you can do against them.

WordPress SQL Injections target the heart of your site : The Database

To understand how SQL injection works, you need to understand how WordPress is fundamentally built. If you already know this, you can safely skip this section.

The database is the basis for every WordPress installation: All content is stored here. The CMS itself then makes it possible to display and edit this content. WordPress is a MySQL database. SQL stands for Structured Query Language, a full-featured programming language that can be used to create structures in a database and insert, modify and delete data.

Every time you write an article, create a new category, change your password or even when your users write a comment, this new data is stored in the database. So this is where every single piece of content on your website resides.

Whenever a user visits your site and requests certain content,WordPress pulls the appropriate data from the database, brings it together with PHP and creates an HTML document that is finally transferred to the user's browser. The user is unaware of all the processes that take place up to that point.

SQL Injections inject external code into the database

Even if you never work directly with the database, but only with the WordPress backend: The database is the heart of your website.

But as I said: Users are also able to enter data into the database. Writing a comment, creating a user account, filling out and submitting a contact form - all these actions generate data that is stored in the database.

But what if someone uses this indirect access to your database to smuggle malicious code into the database? This is called SQL injection.

The idea behind this is not even particularly complicated: If no security measures are in place, the hacker only has to enter SQL code into a form field (e.g. when writing a comment). This code contains characters that have a special function for the SQL interpreter, which is responsible for executing SQL commands in the database. Such special characters, called metacharacters, are for example ; " ' and \.

The CMS believes that this is harmless data and passes the input to the database as usual with the order to save it. The SQL interpreter recognizes the code as an action request based on the metacharacters and executes the database command.

By the way, the same applies to SQL injections as to Brute Force attacks: there is hardly ever a hacker sitting alone at the computer and manually enters codes into forms. These attacks also run via automated botnets that scan thousands of websites simultaneously for vulnerabilities and strike where they find one.

What can happen now?

  • The hacker bypasses any authentication mechanisms or hides behind the identity of an existing user to gain access. For example, if a hacker creates a new admin account, this is also called a privilege escalation exploit.
  • In this way, he can spy out, change or delete data. This is especially critical if you run an online shop and have your customers' payment data at your disposal.
  • He can take control of your entire website and your web space, for example by logging in as an admin and gaining access to your backend. This way, a hacker has full control over your site and can abuse it as a spam spinner, inject malicious code or insert it into a botnet.

Conclusion: Especially because of the automation WordPress SQL Injections are very dangerous.

WordPress SQL injections are among the most dangerous hacks of all. They are easy to perform, mostly automated and can cause massive damage: Especially for shop operators, the danger of SQL injections is existential.

Therefore, it is important to protect your site accordingly: User input must be checked and sanitized. You should also mask data to prevent the execution of malicious code. This process is called data sanitization and validation and is covered in detail in the WordPress codex, for example. In one of the following articles, however, we will go into more detail on this topic and show you how you can prevent malicious code from becoming active in your database.

Basically, comprehensive securityPlugins also helps here: Because they are especially capable of blocking automated attacks on your sites , which are the basis for many hacks.

As a system administrator, Tobias watches over our infrastructure and finds every possible way to optimize the performance of our servers. His tireless efforts mean he can often be found on Slack in the early hours.

Related articles

Comments on this article

An

Great Article Tobias, now as a web manager of shops How can I ensure the security of the website. And most important you asked to check user input... Can you please explain what kind of inputs need to be checked?

Post a comment

Your email address will not be published. Required fields are marked with *.