SQL injection and cross-site scripting: The differences and attack anatomy

Cyberattackers are always on the lookout for any potential vulnerability that can be exploited by multiple tactics and techniques like phishing, brute force attack, malware injection, social engineering, web hacking and more to fulfill their malicious intentions and bring organizations and businesses to a standstill.

In this blog we will shed light on two of the most common yet popular web hacking techniques among hackers: SQL injection attack and cross-site scripting (XSS).

SQL injection attack

SQL injection is a common and prevalent method of attack that targets victims' databases through web applications. It enables cyberattackers to access, modify, or delete data, and thus manipulate the organization's databases. For any organization, data is one of the most critical and valuable assets, and an attack on its database can wreak havoc on the entire business.

Data can include customer records, privileged or personal information, business-critical data, confidential data, or financial records of an organization.

According to MITRE ATT&CK, cyberattackers often exploit public-facing applications to gain the initial foothold within an organization's network. These applications are generally websites but can also include databases like SQL.

How does a SQL injection attack work?

An SQL injection attack is carried out through the following steps:

1. An attacker researches the targeted database.
2. The attacker identifies vulnerabilities in the webpage or application to exploit. One example of an SQL vulnerability is insufficient user input validation. The attacker can create and submit their own input content by exploiting this vulnerability.
3. They further create malicious SQL inputs and inject them into the standard SQL queries.
4. This enables the attacker to carry out nefarious and malicious actions on the web application and exploit the database. They then can extract confidential information, bypass security controls, modify records, or delete the entire database.

Cross-site scripting

Cross-site scripting (XSS) attack is a popular attack technique used by hackers to target web applications. Here, the attackers inject malicious client-side scripts into a user's browsers or web pages, allowing them to download malware into the target user's system, impersonate the target, and carry out data exfiltration, session hijacking, changes in user settings, and more.

According to MITRE ATT&CK, cross-site scripting is an example of a drive-by compromise technique used by adversaries to gain initial access within the network. The technique aims to exploit website vulnerabilities through malicious client side scripts or code. This provides them with access to systems on the internal network and also allows them to use compromised websites to direct the victims to malicious applications meant to steal and acquire Application Access Tokens (used to make authorized and legitimate API requests on behalf of users/services to access resources in cloud or SaaS applications).

How does an XSS attack work?

An XSS attack is carried out through the following steps:

1. The attacker exploits the vulnerabilities of a website, such as using its form to inject a malicious script into the website's database.
2. The malicious script gets saved in the database of the vulnerable website.
3. The victim user requests a webpage from the website.
4. The website database includes the malicious script in response to the requested webpage and sends it to the victim user.
5. The malicious script gets activated every time the victim user performs any action on the webpage or visits the compromised website.
6. The malicious script sends the victim's private data (such as session cookies) to the attacker's server.

Types of XSS attack

XSS is broadly categorized into three types, which are:

1. Reflected XSS: The victim user (client) unknowingly sends a malicious script (payload) as part of the regular request to the vulnerable web application or website (server). As a response, the application will return the malicious script to the victim user, which upon loading, will execute the malicious script. Since the malicious script gets reflected back from the server to the client, it is called a reflected XSS.
2. Stored XSS: The attacker stores payload into the compromised servers, which gets delivered as and when the user visits the website. Since the malicious script is stored in the web application, it is called a stored XSS.
3. DOM-based XSS: The attacker exploits the vulnerability of those applications using a Document Object Model (DOM)—a programming web interface for web pages.

The attacker injects the malicious script in the DOM through a URL for instance, and when the user performs any action on that page or visits the page through that URL, the application updates the DOM to execute the malicious script.

Differences between SQL injection and XSS attack

Even though both SQL injection and XSS attack are common web hacking techniques, there are a few key differences between the two.

Although SQL injection and cross-site scripting attack continue to be popular among attackers, continuous monitoring, testing, and deploying the best preventive measures will help organizations keep their websites from becoming prey to such attacks and neutralize any threats preemptively.