Programmers who aren't security savvy are coding SQL injection as a feature in some Web applications, putting users at risk when an application goes live or is distributed to affiliates of online advertising networks.
The coding is critical to the way the application runs. The problem is so pervasive that some security vendors, including TippingPoint, ship their intrusion prevention systems (IPS) with SQL injection protection filters disabled by default to avoid breaking applications.
Rohit Dhamankar, director of security research at TippingPoint's DVLabs, said the company's global IPS honeypots have detected spikes in SQL injection attacks taking advantage of the SQL injection features coded in some Web applications. TippingPoint keeps track of global threats by capturing attack attempts in its IPS filters. It also anonymously tracks how customers configure their IPS.
"The people that write these applications sometimes don't realize that they have inadvertently put SQL injection as a feature for the applications," Dhamankar said. "One of the spikes came because one of these advertising companies was using a flaw, a SQL injection vulnerability to distribute reports to all its affiliates."
The SANS Institute called SQL injection and cross-site-scripting attacks the two biggest problems on the Web in a report released this week, The Top Cyber Security Risks. The errors are also often the most overlooked by companies. Yet SQL injection was the method used by attackers in the largest data security breach in U.S. history.
Web application vulnerability flaws in open source and custom-built applications account for more than 80% of the vulnerabilities being discovered, SANS said in its report. The research broke down the SQL injection errors as "SQL injection using SELECT SQL statement," "SQL injection evasion using string functions," and "SQL injection using boolean identity," all errors that could be corrected in the software development lifecycle prior to the flawed application going live.
Dhamankar said poorly coded online advertisements leads to the kind of problem experienced by New York Timeswebsite visitors last weekend. Once a flaw is exploited, attackers can poison the ads and redirect visitors who click on them to malicious websites. Automated scripts in those sites check for flawed browser plug-ins and other unpatched applications, giving the attacker a foothold to infect a victim's computer.
The New York Times partially uses an ad affiliation network. Last weekend, an approved ad appeared legitimate, but the attackers replaced it with malicious ads, which then displayed a pop-up advertisement warning users that their machines had been infected and they needed to click the link to disinfect their computer.
The problem is becoming extremely pervasive but SQL injection errors are often difficult and costly to fix, experts say. A vulnerability scan can turn up thousands of errors that lend themselves to SQL injection.
Dhamankar, one of several security experts who spoke at a SANS Institute press conference presenting the report, said legitimate online advertising affiliates and other firms can use IPS or Web application firewalls (WAFs) to stop such attacks and hold programmers accountable for their faulty coding practices. Awareness and education should also be a priority, Dhamankar wrote in an email message after the presentation.
"If the development organizations ensure their employees have gone through secure programming practices and courses, it would lead to a decrease of such incidents," he wrote. "Security testing of applications internally or through third parties is another good measure to ensure that Web application holes are discovered prior to the application being deployed in production."
Digital investigations expert and SANS Institute instructor, Rob Lee of Mandiant said his research shows that hackers are using spear phishing attacks with a variety of social engineering tactics to trick end users into clicking on malicious links. But a third of the attacks are specifically SQL injection, targeting financial institutions and retailers with exposed websites, he said.
"They go in through the public facing website in order to gain access to the credit card data on the back end," Lee said. "It's more of a smash and grab attack where they're looking for credit card data."
There is no single silver bullet to protect organizations from attackers, said Ed Skoudis, founder and senior security consultant with InGuardians Inc. Once malicious code is pushed onto a website via SQL injection or any other method, the victim then pulls that malicious content into their organization onto a machine that doesn't have a fully patched piece of client software.
It takes defense in depth, Skoudis said. Security professionals can't fall into the mindset that sensitive data isn't stored on client machines so it doesn't matter if end-user machines are infected.
"Once the bad guy establishes a toe-hold into the target environment by exploiting one client machine, the bad guy doesn't stop there," Skoudis said. "Once the client gets exploited the attacker pivots through the organization … and bounces to internal network servers and that is when you've got a full-scale breach."