Research finds SQL injection attacks bypass web security
Hackers execute an average 71 SQL injection attacks per hour to steal data.
Imperva’s Hacker Intelligence Initiative (HII) demonstrates the prevalence and intensity of SQL injection attacks.
The report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
“SQL injection probably the most costly vulnerability in the history of software,” explained Imperva CTO Amichai Shulman. "This exploit is used to great effect by the hacking community since it is the primary way to steal sensitive data from web applications. However, this issue, ironically, remains one of the least understood."
Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga’s Web sites were compromised by hackers who used SQL injection to break-in to the application’s backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. From 2005 through today, SQL injection has been responsible for 83% of successful hacking-related data breaches.
It is estimated that there are a total of 115,048,024 SQL injection vulnerabilities in active circulation today. A hacker in a forum boasted, “Finding SQLI Vulnerable sits is extremely easy all you need to do is some Googling."
By monitoring a set of 30 web applications over the last nine months, Imperva found:
• SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
• Attackers are increasingly bypassing simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.
• Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
• Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These “zombies” are used in an interchangeable manner in order to defeat black-listing defense mechanisms.
• About 41% of all SQLi attacks originated from just 10 hosts. Again, we see a pattern where a small number of sources are responsible for a majority of attacks.
To better deal with the problem, enterprises should:
• Detect SQL injection attack using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. The detection engine must normalize the inspected input to avoid evasion attempts.
• Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
• Create and deploy a black list of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.