WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

‘An Anatomy of a SQL Injection Attack’

Imperva’s Hacker Intelligence Initiative (HII) has released a new report into SQL injection attacks. The report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.

“SQL injection is probably the most costly vulnerability in the history of software,” explained Imperva CTO Amichai Shulman. "This exploit is used to great effect by the hacking community since it is the primary way to steal sensitive data from web applications. However, this issue, ironically, remains one of the least understood."

From 2005 through to today, SQL injection has been responsible for 83 percent of successful hacking-related data breaches. It is estimated that there are a total of 115,048,024 SQL injection vulnerabilities in active circulation today.

Imperva found:

  • SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
  • Attackers are increasingly bypassing simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.
  • Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
  • Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These ‘zombies’ are used in an interchangeable manner in order to defeat black-listing defense mechanisms.
  • About 41 percent of all SQLi attacks originated from just 10 hosts.

To better deal with the problem, enterprises should:

  • Detect SQL injection attack using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. The detection engine must normalize the inspected input to avoid evasion attempts.
  • Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
  • Create and deploy a black list of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. It is important to constantly update the list from various sources.

The full report can be found and downloaded here.

•Date: 23rd September 2011 • Region: World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here