Imperva research finds SQL injection attacks bypass web security.
"SQL injection probably the most costly vulnerability in the history of software," explained Imperva CTO Amichai Shulman. "This exploit is used to great effect by the hacking community since it is the primary way to steal sensitive data from web applications. However, this issue, ironically, remains one of the least understood."
Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. From 2005 through today, SQL injection has been responsible for 83% of successful hacking-related data breaches. It is estimated that there are a total of I 15,048,024 SQL injection vulnerabilities in active circulation today. A hacker in a forum boasted, "Finding SQLI Vulnerable sits is extremely easy all you need to do is some Googling."
By monitoring a set of 30 web applications over the last nine months, Imperva found:
* SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
* Attackers are increasingly bypassing simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.
* Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
* Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These "zombies" are used in an interchangeable manner in order to defeat black-listing defense mechanisms.
* About 41% of all SQLi attacks originated from just 10 hosts. Again, we see a pattern where a small number of sources are responsible for a majority of attacks. To better deal with the problem, enterprises should:
* Detect SQL injection attack using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. The detection engine must normalize the inspected input to avoid evasion attempts.
* Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
* Create and deploy a black list of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.
The full report can be found and downloaded at http://www.imperva.com/docslHII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
|Printer friendly Cite/link Email Feedback|
|Date:||Nov 1, 2011|
|Previous Article:||9 Best practices of social media marketing.|
|Next Article:||New tool enables the automation of social engineering attacks on Facebook.|