Automated SQL injection: What your enterprise needs to know

By Shawna McAlearney, News Writer 26 Jul 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

SQL injection exploits may soon be as common as those targeting Windows and Unix flaws, experts say. An estimated 60% of Web applications that use dynamic content are likely vulnerable, with devastating consequences for an enterprise. A presentation of an automated attack targeting SQL injection flaws is planned for Black Hat Briefings this week in Las Vegas. This two-part interview with SPI Dynamics CTO Caleb Sima will tell you what you should fear, why and what you can do to mitigate your risk.

Security Wire Perspectives: Can you describe, in basic terms, what a SQL injection flaw is and what kind of threat it poses?

Caleb Sima, CTO, SPI Dynamics: A SQL injection flaw occurs when external input is transmitted directly into a SQL string and into a database. This allows an attacker to piggyback SQL commands onto that string and manipulate or steal database information or execute system commands.

SWP: How many Web sites would you think are affected by the SQL injection flaw?

SIMA: This flaw is extremely widespread, likely one of the biggest flaws out there. It's not language-dependent. SQL injection can occur in JSP, in ASP, in PHP and other languages. SQL injection also occurs in Oracle databases. Just on the ASP side, I would say 95% of Web sites seem to be vulnerable to SQL injection. Probably 60% of Web applications that use dynamic content are vulnerable as well.

SWP: What affect can a SQL injection flaw have on an enterprise?

SIMA: A SQL injection flaw is a very high-risk impact -- it's devastating. If SQL injection is vulnerable on an enterprise's Web site, any attacker with the right type of knowledge can extract its entire backend database directly from the Web server.

Most IDSes today have a very difficult time detecting a SQL injection. So if there's an IDS or IPS device in front of the Web server or network, it really doesn't do a lot to stop SQL injection. The impact remains the same if a database is on the internal side of the network because the Web server is allowed to communicate with the database and commands can be passed directly to the database server. That means the internal network has been breached very easily, directly from the Internet. SQL injection problems are critical.

SWP: You've described an enormous number of potential targets. Do attackers have a way of narrowing down the list of vulnerable sites?

SIMA: "Google hacking" -- using search engines to find vulnerable sites -- is an old method that is becoming increasingly popular. Using specific search queries and cross-referencing information, an attacker can identify sites that use SQL injection and then further narrow the search results to find vulnerable sites and attractive targets. Depending on the attacker's intent, "attractive" could mean an e-commerce site, a government site or others. The next step is testing each of those sites for SQL injection flaws. It's very simple to create a program to automate this process.

Then, all an attacker would have to do is run this tool, identify sites that use SQL injection and toss the vulnerable ones off to an automated SQL injection tool to download the databases. It may find 500 databases in a minute. The database could be credit card numbers, user names and passwords or confidential information. This can be set up to find vulnerable sites, extract the databases and save them. Code this up, press a button and walk away. Later, all the data from the flawed sites will be available.

In the Thursday issue of SWP, read how to identify whether your system is vulnerable and what the likelihood is of seeing a worm targeting SQL injection flaws.

Tags: Database Security Management,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary