Application Security // Database Security
07:26 PM
Connect Directly

Cybercrime's Love Affair With Havij Spells SQL Injection Trouble

Automated SQL injection attack tool makes database extraction as easy as a button click for cybercriminals

Today's exponential increase in attack volume and complexity can largely be chalked up to the cybercriminal's creed of working smarter, not harder. It isn't so much l33t hackers toiling at code for hours that enterprises have to worry about. Instead, it's the nontechnical crooks who can carry out their attacks with a few clicks of a button using automated tools that do the technical dirty work for them. In the database-cracking world, Havij stands as one of the most popular of these tools. As such, it should be on the radar of any security professional seeking to prevent costly data breaches within their environments.

"If you're talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common," says Noa Bar Yosef, senior security strategist at Imperva.

Developed by Iranian hackers sometime in spring 2010, Havij is named for the Farsi word for "carrot," which also doubles as colorful slang for the male sexual organ. Corny penetration jokes notwithstanding, the tool has so completely captured the hearts and minds of the black hat community that groups like Anonymous frequently train their legions on how to wreak havoc using it, says Josh Shaul, CTO of Application Security Inc.

"So when I sat and read chat logs from Anonymous IRC rooms where they do hacker training, the only thing I ever see mentioned is Havij," Shaul says. "The reason for that is Havij is awesome. And it's as powerful and easy to use as could be."

Favored by hacktivists and financially motivated attackers alike, Havij automates bad guys' SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.

"By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, run SQL statements, and even access the underlying file system and executing commands on the operating system," said a recent Imperva executive report (PDF). All of it is carried out through a simple GUI interface through which an attacker can carry out an attack with a few clicks.

"Basically, you fire up the product: There's a box at the top of the screen where it wants you to type some kind of Web page, so you type it in and then there's a button that says 'Analyze.' It's like the 'Go' button, and you click 'Go.' Literally, that's it," Shaul says. "So it comes back and says, 'Hey, I found a SQL injection potential on this site.'"

At that point, the tool returns information about what kind of server and DBMS system is running on the back-end and whether or not it is running with administrative privileges in the database.

"So then there are a few other things that you can do. There's a button that's just called 'Info,' and if you click that button, it'll go out and get a bunch of detailed info about the database," Shaul says. "There's a button called 'Table.' If you click that button, it'll go into that database and come back with a list of tables in that database that you can navigate, sort of like navigating through a Windows file explorer where you can click on the table name, and it'll expand out." The ease of use and power of the tool should be enough to get the attention of enterprises seeking to prevent breaches, such as the one last spring at PBS that gave hackers the ability to post phony story headlines on the PBS site -- an attack that came at the hands of an attacker using Havij.

"What it means for enterprises is that everybody out there that wants it has sort of industrial-grade SQL injection test kits at their fingertips," Shaul says. "And if organizations aren't really rigorously testing their applications for SQL injection vulnerabilities, they're going to be missing something that an attacker is not going to miss."

The key to preventing SQL injection attacks starts at the application level because enterprises need to do a better job sanitizing input to neutralize the effects of injection queries. Obviously, though, there's a whole host of applications already in production that still need protecting.

That's where database security tools with SQL injection blocking come into play.

"SQL injection is all about dirty input. In the end, the solution is input sanitization. That's an easy thing to say -- it's not an easy thing to do. You've got to put up some applications ... that are running that you'd like to fix, but it's going to take time. So the stop-gap measure that I think folks need to implement is database security," Shaul says. "Bringing that security right to where the data lives is the best way to effectively protect it while you're going through the process of fixing these known vulnerabilities in the environment."

According to Rob Rachwald, director of security for Imperva, Havij, in particular, has characteristics that make it possible for blocking tools to detect activity in real time.

"When it hits the website, it gives a certain fingerprint that says, 'Hey, I'm an attack tool,'" Rachwald says. "So you can block that traffic right there."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/2/2012 | 5:38:58 PM
re: Cybercrime's Love Affair With Havij Spells SQL Injection Trouble
Some good tips here about preventing SQL injection bugs in your code --
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
4/1/2012 | 12:09:28 AM
re: Cybercrime's Love Affair With Havij Spells SQL Injection Trouble
People tend to forget that it's not attacker tools that make vulnerabilities as bad as SQL injection -- it's developers. Developers caused this problem; this is their technical debt.-

Havij doesn't find and exploit advanced SQL injection vulnerabilities. Heck, it doesn't even find SQL injection vulnerabilities at all -- it only exploits ones already found. Stranger still, Havij works best with vanilla SQL injection vulnerabilities.

A vanilla SQL injection vulnerability is akin to binding a bash shell to port 1337 using inetd. It's a glaring, visible, huge backdoor waiting for anyone to target it.

To put this in a context that maybe you'll understand in the physical world: it's like putting a huge stockpile of gold bars in your foyer and leaving your front door wide open with a huge sign on your lawn reading "FREE GOLD INSIDE".

Havij is merely a figurative wheel barrow designed to lift the gold out of your foyer. It's not complex or insightful.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.