Coming in at number one in the OWASP Top Ten Most Critical Web Application Vulnerabilities are injection attacks, and SQL Injection vulnerabilities are the most common and most dangerous in this category. SQL injection is a technique that exploits vulnerable web sites by inserting malicious code into the database that runs it.
What makes the threat of SQL injection attacks so dangerous is the ease in which they can be launched and how many web sites are vulnerable to them.
Attackers often use large botnets to systematically seek out vulnerable web sites to attack with little work being done on their part. Pair this with the fact that the number of sites vulnerable to this type of attack grows each year and it is clear to see why it remains at the top of the most critical vulnerabilities.
Risks Associated with SQL Injection
Even with the ease that an automated SQL injection attack can be carried out, if the attackers stood to gain nothing this threat would soon disappear. Unfortunately, those who successfully compromise vulnerable web sites can find that this vulnerability can be quite profitable as they give the attacker access to the database so information can be sold or data can be deleted. More advanced techniques can also be used to give the attacker unrestricted access to the system through a backdoor. SQL injection can also be used in tandem with other exploits, such as cross-site scripting, to manipulate how data is displayed to a web site’s visitors.Not preventing SQL Injection attacks leaves your business at great risk of:
- Changes to or deletion of highly sensitive business information.
- Steal customer information such as social security numbers, addresses, and credit card numbers.
- Financial losses
- Brand damage
- Theft of intellectual property
- Legal liability and fines
Preventing SQL Injection Attacks
With dotDefender web application firewall you can avoid SQL injection attacks because dotDefender inspects your HTTP traffic and determines if your web site suffers from SQL Injection or other attacks stopping identity theft and preventing data leaks from web applications.Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against SQL Injection attacks, cross-site scripting, website defacement and many other web attack techniques.
The reasons dotDefender offers such a comprehensive solution to your web application security needs are:
- Enterprise-class security against known and emerging hacking attacks
- Central Management console for easy control over multiple dotDefender installations
- Supports multiple platforms and technologies - IIS, Apache, Cloud ...
- Open API for integration with management platforms and other applications
- Solutions for Hosting, Enterprise and SMB/SME
How does an attacker compromise your SQL server?
Before a web site can be compromised, an attacker needs to find applications that are vulnerable to SQL injection using queries to learn the SQL application methods and its response mechanisms.The attacker has two ways to identify SQL injection vulnerabilities:
- Error messages: the attacker constructs the correct SQL syntax based on errors messages propagated from the SQL server via the front-end web application. Using the errors received, the hacker learns the internal SQL database structure and how to attack by injecting SQL queries via the Web application parameters.
- Blindfolded Injection: this technique is utilized by hackers in situations where no error messages or response content is returned from the database. In these cases, the attacker lacks the ability to learn the backend SQL queries in order to balance the SQL injection query. In the lack of database content output within the Web application, the attacker is also challenged with finding a new way of retrieving the data.
Identifying the database
When the attacker knows how each database is reacting he or she can identify the database type and the server that is running it.There are several techniques the attacker uses to identify database objects in a SQL statement.
- Using a concatenation string:
select f1+f2
from t1
- Using a semicolon or cash sign ($)
Compromising the SQL server
Once the attacker has all information he can build the exploit code.Some techniques used to execute SQL Injection attacks are:
- Terminating queries using quotes, double-quotes, SQL comments
- Using stored procedures
- Database manipulation commands such as TRUNCATE, DROP
- Using CASE WHEN, EXEC to run nested queries
- Utilizing SQL injection to create Buffer Overflow attacks within the database server
- Delivering SQL queries via XML and Web Services
- Blindfolded SQL Injection techniques:
- Blindfolded injection techniques using Boolean queries and WAITFOR DELAY
- Comparison queries using commands such as BETWEEN, LIKE, ISNULL
- IDS signature evasive SQL Injection techniques:
- Using CONVERT & CAST commands to mask the attack payload Using Null bytes to break the signature pattern
- Using HEX encoding mixtures
- Using SQL CHAR() to represent ASCII values as numbers
1 = 1--
What happens when this is entered into an input box is that the server recognizes 1 = 1 as a true statement. Since -- is used for commenting, everything after that is ignored making it possible for the attacker to gain access to the database. You can see precisely how this attack works on our SQL injection example page.
The Need to Avoid SQL Injection Attacks
SQL injection techniques have been around for over 10 years now, but recent years have seen a dramatic increase in both number of attacks and the extent of damage caused by them. In fact, a sweep of attacks in the second quarter of 2008 alone resulted in over 500,000 exploited web pages that were compromised to deliver password-stealing malware to users' computers. In more recent studies, security firms report attempted attacks reaching totals of 450,000 per day.The tragedy is that these threats can be mitigated, or even prevented, with the proper tools and knowledge.
The attacker identifies vulnerabilities and obtains database access SQL (Structured Query Language) provides an interface to facilitate access to and interaction with a database. A database usually stores data in tables and procedures.
SQL Injection is a security exploit method in which the attacker aims at penetrating a back-end database to manipulate, steal or modify information in the database. The SQL Injection attack method exploits the Web application by injecting malicious queries, causing the manipulation of data. Almost all SQL databases and programming languages are potentially vulnerable and over 60% of websites turn out to be vulnerable to SQL Injection.
The threat posed by SQL injection attacks are not solitary. Combined with other vulnerabilities like cross-site scripting, path traversal, denial of service attacks, and buffer overflows the need for web site owners and administrators to be vigilant is not only important but overwhelming.
Protect Yourself from SQL Injection Attacks
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.
What types of SQL Injection attacks does dotDefender block?
dotDefender blocks against various SQL Injection techniques including, but not limited to:- Terminating queries using quotes, double-quotes, SQL comments
- Stored procedure names
- Comparison queries using commands such as BETWEEN, LIKE, ISNULL
- Database manipulation commands such as TRUNCATE, DROP
- Reserved words such as CASE WHEN, EXEC
- Blindfolded injection techniques such as Boolean queries and WAITFOR DELAY
- Database-unique attacks relating to Oracle, MySQL, MS-SQL
- Signature evasion techniques such as using CONVERT & CAST
- Buffer overflow attacks via SQL Injection
- XML and Web-Services encapsulating SQL Injection techniques
- Null byte signature evasion
- HEX encoding mixtures for signature evasion
- Using SQL CHAR() for signature evasion
- Zero-day protection against MS-SQL stored procedure attacks such as MS08-040
In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.
No comments:
Post a Comment