New defenses for automated SQL injection attacks

In this tip, let's take a look at SQL injection attacks and examine how to find, isolate and address the malicious pages of an otherwise safe website.

SQL injection attacks of the past
SQL injection attacks are nothing new. In a high-profile 2003 case, for example, apparel company Guess Inc. suffered a SQL injection attack on its website, which resulted in a security breach and a government-led legal settlement. At the time, court documents described SQL injection as occurring "when an attacker enters certain characters in the address (or URL) bar of a standard Web browser to direct the application to obtain information from the databases that support or connect to the website." In court, it had been found that attackers manipulated an application to gain access, in cleartext, to every table in the guess.com databases, including those that supplied purchasers' credit card information.

The liability that companies face if they expose sensitive data hasn't changed. What is new about this latest round of SQL injection attacks, however, is both the degree to which the attacks are automated and the sheer scale at which they are carried out.

The new SQL injection attack
From a technical perspective, today's SQL injection attackers are more thorough in how they seek out vulnerable websites. Various toolkits are being used to speed up the exploitation process. Consider the Asprox Trojan, ...

1. A Trojan is installed by spam (that is itself sent via compromised hosts).
2. A PC infected by the Trojan downloads a binary that, when launched, uses Google to search for potentially vulnerable websites that use forms built with Microsoft Active Server Pages. The search results become a target list for SQL injection attacks.
3. The Trojan launches a SQL injection attack against those sites, compromising a percentage of them.
4. Visitors to compromised sites are fooled into downloading a piece of malicious JavaScript code from another site.
5. That code directs the user to a third site, where more malware is hosted, such as copies of Asprox or Danmec (a password-stealing Trojan).

These steps indicate just how much has changed in five years. Previously, Web application developers were advised to test and patch their code on the slim chance that an SQL injection vulnerability might be uncovered and exploited maliciously. Recent attacks, however, have shown that vulnerabilities are now much more likely to be uncovered and exploited maliciously. Developers, therefore, should vigorously test their code prior to deployment and promptly patch it as soon as new flaws are reported.

Knowing when a website has been attacked
Certainly no enterprise wants to unknowingly spread malware. So how do you know if your site is compromised? Oddly enough, the answer might come in a notice from Google. In an excellent example of how hacking tools work both ways, Google, a major player in the stopbadware.org project, monitors sites for "badware," defined as spyware, malware and deceptive adware. Indeed, Google automatically sends badware alerts to the following email addresses at domains where its Web crawlers locate a problem:

* abuse@
* admin@
* administrator@
* contact@
* info@
* postmaster@
* support@
* webmaster@

Of course, an enterprise must be prepared to receive these messages, something that sounds deceptively simple. There may be spam filters on these addresses, or worse, no designated recipient, meaning the messages may go unread. Cataloging and verifying contact details for all of corporate domains is a good first step in responding to this new wave of attacks. Savvy security pros might want to leverage news of these attacks to procure additional resources for a thorough site review.

The explosive growth in Web activity during the last five years has resulted in many "lost" sites, projects that were launched then later abandoned without proper termination. Unfortunately, the relentlessly thorough Google Web crawlers will find them, and if they are potential targets, they will eventually be attacked. Fortunately, though, an enterprise can proactively determine if it has a "badware" problem: any site can be checked for free using Google Webmaster Tools.

Those organizations that are uncomfortable relying on Google should embark on a detailed review of their websites. There are some tools that can help, starting with Xenu's Link Sleuth, a free program that can check all the links on a given site and report a variety of errors. Remember to test the production site and to run checks from a machine that is outside the company network; otherwise some problems may be missed.

How to prepare for the new attacks
Moving forward, a proactive strategy would be to invest in a Web vulnerability scanner such as those from Acunetix Ltd. and SPI Dynamics (now owned by Hewlett-Packard Co.). A good Web vulnerability scanner -- not to be confused with a network scanner -- will spot all currently known SQL-injection vulnerabilities on your site. An up-to-date scanner will spot new vulnerabilities as they become known.

Bear in mind that defending against SQL injection attacks may not be enough. Attackers are conducting concerted and automated searches for targets and executing of attacks on them. These techniques could well be applied to other Web infrastructure weaknesses besides SQL.

Finally, secure code review at all stages of the Web application development process and pre-production security testing are now more important than ever. They should be augmented by post-deployment testing that includes vulnerability scanning tools and site monitoring.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

[IMAGE]
[IMAGE]SQL INJECTION PROTECTION GUIDE
[IMAGE]  SQL injection protection introduction
[IMAGE]  How to prevent SQL injection attacks
[IMAGE]  SQL injection attack defense
[IMAGE]  Automate SQL injection testing
[IMAGE]  Defenses for automated SQL injection attacks

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Web Security Advisor,   Application and Platform Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Web Security Tools and Best Practices,   Web Application Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.