Automated SQL injection: What your enterprise needs to know, part 2

By Shawna McAlearney, News Writer 29 Jul 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

SQL injection exploits may soon be as common as those targeting Windows and Unix flaws, experts say. An estimated 60% of Web applications that use dynamic content are likely vulnerable, with devastating consequences for an enterprise. A presentation of an automated attack targeting SQL injection flaws is planned for Black Hat Briefings this week in Las Vegas. This conclusion of a two-part interview with SPI Dynamics CTO Caleb Sima tells what you should fear, why and what you can do to mitigate your risk.

Security Wire Perspectives: You have compared the future of SQL injection attacks to the current scope of Linux and Windows flaws. How easy would it be to develop some sort of automated exploit for this?

Caleb Sima, CTO, SPI Dynamics: Today, an attacker has to be somewhat knowledgeable not only about Web application security, but also about SQL injection to exploit someone's site and grab information. It's a very manual task that takes some pretty good intelligence gathering to accomplish. But SQL injection can be automated and it's technology that's moving forward. In fact, at Black Hat there is going to be a talk on the automation of SQL injection. I think it's the first of its kind. This technology being publicly released by some black hat will give script-kiddies the ability to pick up a freeware tool, point it at a Web site and automatically download a database without any knowledge whatsoever.

I think that makes things a lot more critical and severe. The automation of SQL injection gives rise to the possibility of a SQL injection worm, which is very possible. In fact, I am surprised this hasn't occurred yet.

SWP: So it wouldn't be all that difficult to create a SQL injection worm?

SIMA: People think SQL injection flaws are unique to their application; that they're all different and there's no way a worm could be used to do SQL injection. That's where they are wrong. Google hacking can be used to find vulnerable Web sites and narrow down target sites. These results can be used as the basis for a worm.

After identifying a vulnerable site, a payload or a worm is uploaded onto the SQL infected site. From that point, the server then goes out to Google and identifies the next vulnerable site using SQL injection, which is very easy to do. Then he infects the next machine, then that machine goes back to Google and identifies that next vulnerable machine and so on and so on. So even something as unique as SQL injection paired with Google and automated SQL injection capabilities can be used to automate a worm that propagates extremely quickly.

What makes this more dangerous than other worms that have come out is that the others have been based upon a single flaw -- flaws that could be fixed with patches. With SQL injection, you can't install a patch. It's an implementation flaw that applies to Microsoft servers, to Apache servers, to PHP code and to ASP code. Source code must be examined and fixed, which isn't a simple thing to do.

To determine whether your site is vulnerable to SQL injection, read the steps available online.

SWP: You seem surprised we haven't seen any SQL injection worms yet. What kind of timeframe are we looking at?

SIMA: I believe someone out there probably already has one; someone who is smart enough to use this type of technology for financial gain or some other purpose. His type of SQL injection worm is probably already being used quietly to gain information in a way that isn't being detected.

I can't predict when the next one will come out. I will tell you that this knowledge and this idea will propagate quickly. Then it's all up to whoever decides to sit down and release one.

Part 1 of the two-part series is available online.

Tags: Database Security Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary