SQL injection exploits may soon be as common as those targeting Windows and Unix flaws, experts say. An estimated 60% of Web applications that use dynamic content are likely vulnerable, with devastating consequences for an enterprise. A presentation of an automated attack targeting SQL injection flaws is planned for Black Hat Briefings this week in Las Vegas. This two-part interview with SPI Dynamics CTO Caleb Sima will tell you what you should fear, why and what you can do to mitigate your risk.
Security Wire Perspectives: Can you describe, in basic terms, what a SQL injection flaw is and what kind of threat it poses?
Caleb Sima, CTO, SPI Dynamics: A SQL injection flaw occurs when external input is transmitted directly into a SQL string and into a database. This allows an attacker to piggyback SQL commands onto that string and manipulate or steal database information or execute system commands.
SWP: How many Web sites would you think are affected by the SQL injection flaw?
SIMA: This flaw is extremely widespread, likely one of the biggest flaws out there. It's not language-dependent. SQL injection can occur in JSP, in ASP, in PHP and other languages. SQL injection also occurs in Oracle databases. Just on the ASP side, I would say 95% of Web sites seem to be vulnerable to SQL injection. Probably 60% of Web applications that use dynamic content are vulnerable as well.
SWP: What affect can a SQL injection flaw have on an
SIMA: A SQL injection flaw is a very high-risk impact -- it's devastating. If SQL injection is vulnerable on an enterprise's Web site, any attacker with the right type of knowledge can extract its entire backend database directly from the Web server.
Most IDSes today have a very difficult time detecting a SQL injection. So if there's an IDS or IPS device in front of the Web server or network, it really doesn't do a lot to stop SQL injection. The impact remains the same if a database is on the internal side of the network because the Web server is allowed to communicate with the database and commands can be passed directly to the database server. That means the internal network has been breached very easily, directly from the Internet. SQL injection problems are critical.
SWP: You've described an enormous number of potential targets. Do attackers have a way of narrowing down the list of vulnerable sites?
SIMA: "Google hacking" -- using search engines to find vulnerable sites -- is an old method that is becoming increasingly popular. Using specific search queries and cross-referencing information, an attacker can identify sites that use SQL injection and then further narrow the search results to find vulnerable sites and attractive targets. Depending on the attacker's intent, "attractive" could mean an e-commerce site, a government site or others. The next step is testing each of those sites for SQL injection flaws. It's very simple to create a program to automate this process.
Then, all an attacker would have to do is run this tool, identify sites that use SQL injection and toss the vulnerable ones off to an automated SQL injection tool to download the databases. It may find 500 databases in a minute. The database could be credit card numbers, user names and passwords or confidential information. This can be set up to find vulnerable sites, extract the databases and save them. Code this up, press a button and walk away. Later, all the data from the flawed sites will be available.
In the Thursday issue of SWP, read how to identify whether your system is vulnerable and what the likelihood is of seeing a worm targeting SQL injection flaws.