VANCOUVER, BC -- A researcher at Core Security Technologies Inc. has developed a new automated hacking technique that enables hackers to easily seek out and exploit SQL injection vulnerabilities, common coding errors being widely exploited by attackers.
The research, conducted by Core researcher Sebastian Cufre, could aid vulnerability hunters by speeding up the discovery of SQL injection vulnerabilities so they can be fixed before attackers use them. Cufre couldn't attend the conference, so CoreLabs researcher Fernando Federico Russ demonstrated the black-box technique at the 2010 CanSecWest Applied Security Conference.
"This helps find and exploit SQL injection vulnerabilities in an automatic way," Russ said. "The coolest feature is a SQL abstraction that permits you to execute a SQL statement directly to the back-end database."
SQL injection is a longtime favorite attack technique because the coding errors that enable attackers to gain access to Web applications is prevalent in tens of thousands of websites. Attackers can add structured query language (SQL) into a Web form to test the database to examine the resulting database debugging error and try to gain access.
Hacker toolkits have made it even easier for attackers to conduct waves of attacks to seek out and compromise websites, setting them up to deliver malicious code to site visitors. Enterprises have been taking steps to eliminate coding errors that make Web applications vulnerable to SQL injection.
The technical research laid out by Russ shows how black-box testing techniques could be applied to hunt for SQL injection errors more efficiently. Black-box testing takes an external approach to testing software to get a hacker's point of view. It enables software testers to understand the types of behaviors that hackers may be able to carry out once inside a compromised system.
"We are trying to understand the methodology of the vulnerability and to understand a standard test to infer string injection points," Russ said.
The technique eliminates false positives from the automated SQL injection vulnerability assessment process. The method also automatically generates exploit code. Core plans to post a research paper on its website.
Currently website owners have a number of ways to test their site for coding errors. A number of static and dynamic code analysis tools can be used to find the coding errors that lead to SQL injection, but many of them result in a wide range of errors and a high number of false positives, though experts say the tools are getting better. In 2008, the wave of SQL injection attacks got so bad that Microsoft issued an advisory, identifying several tools that can be used in the development process to eliminate the errors.
In addition, organizations can limit user access privileges, improve the software development process by applying static code analysis to detect the errors before an application is put into full production, and reduce debugging errors that can be displayed to people when the SQL string causes the underlying database to fail.