Application Security //

Database Security

7/5/2013
05:31 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

New Techniques Obfuscate, Optimize SQL Injection Attacks

Black Hat researcher to demonstrate new methods for getting around defenses even more quickly to extract database data through SQLi

SQL injection attacks already stand as one of the most effective means hackers use to break into enterprise database infrastructures today. Now the attack could get a boost in effectiveness when a researcher at Black Hat USA later this month takes the wraps off new techniques that will make it harder for defenses to detect SQL injection attempts and which will speed up the process of extracting data from databases through blind SQL injection attacks.

Click here for more of Dark Reading's Black Hat articles.

"It just came out of playing around with SQL injections and seeing what they were capable of," says Roberto Salgado, founder and CTO of security consultancy Websec. "I started discovering all of these improvements I could make and places where I could make the data extraction from the database faster."

Salgado's discoveries centered around both obfuscation and optimization of SQL injection attacks. On the obfuscation side, he refined techniques that take advantage of the discrepancies in the way that databases handle certain characters versus applications and the Web application firewalls that protect them.

"I started noticing how [by] sometimes changing just one character or adding one special thing -- if you can figure out or guess features of the database which maybe the developer of the firewall wasn't aware of -- it can be very easy to get around firewalls," he says.

TFor example, the way Oracle handles the null byte, or 00, is one such instance.

"Oracle just reads the null byte as the white space, so everything runs as normal. Whereas the firewall might see the null byte as something else, a lot of times null bytes will actually terminate programs," he says. "So some databases will just do a null byte and ignore it, thinking it's harmless on the whole, but it's really allowing that SQL injection to get by the firewall undetected."

[Why do injection attacks still stand on top of the OWASP Top 10 2013? See Myth-Busting SQL- And Other Injection Attacks.]

While he believes the obfuscation techniques will certainly interest penetration testers, he believes that his techniques on the optimization side are the potential game changers for blind SQL injection.

"Having an optimized SQL injection can definitely help us because we're doing a lot fewer requests to the server, which will get the data faster," he says. "It will use less bandwidth and be less of a burden on the server, which means we can get the data faster without alerting as many people or giving them enough time to react to the attack."

The difficulty of blind SQL injection is that the attacker can extract only one character at a time, Salgado says.

"Sometimes we have the possibility when errors are enabled and showing we can just dump the data through errors, but that's not always possible," he says.

Salgado says his new methods are completely new, making it possible to extract database information through blind SQL injection 20 to 40 percent faster than the current optimization technique, called the bisection method. One of the techniques he will demonstrate is a method that makes it possible to cut down the current testing of parameters for single, double, or no quotes to a single test. So for a site with, say, 400 parameters, that's 800 fewer tests needed. Similarly, he has managed to reduce the number of requests to the server in other ways.

"With my method I'm able to successfully reduce the amount of characters required to look for to two. What it does is it maps the set of characters we'd be interested in looking for in a list to their position in that list, and then we convert that position to binary," he says "Then instead of having to extract letters and numbers, say from A to Z, zero to nine, all we have to look for at this point is just one or zero."

The demonstration that Salgado will do on obfuscation and optimization techniques at Black Hat will not only provide penetration testers with new techniques for improving on their SQL injection mojo, but it should also give those responsible for protecting database resources reason to pause. The faster and easier it is for attackers to get around Web application firewalls, the more imperative to see that they are no fix for SQL injection.

"I think what is really important to understand is that a firewall will not be the end goal -- it won't protect you against everything," he says, explaining that organizations should be looking to fix the root vulnerabilities in the application. "You should really have a security team look at your application, make sure that everything is secure, and then add the firewall as an extra step, just in case. A firewall will stop most script kiddies or amateurs, but they're a joke to anyone with slightly more sophistication."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rubberman
50%
50%
Rubberman,
User Rank: Apprentice
7/30/2013 | 5:03:48 PM
re: New Techniques Obfuscate, Optimize SQL Injection Attacks
Any web application that utilizes raw SQL should be taken out behind the shed and shot! There is a reason why there are stored procedures in every SQL database worthy of the name, and why one NEVER uses input data to help build an SQL query - you ALWAYS use bind variables and validate the input. This is likely not 100% effective, but it would be as close to it as you can probably get.
notsosecure
50%
50%
notsosecure,
User Rank: Apprentice
7/9/2013 | 3:43:05 PM
re: New Techniques Obfuscate, Optimize SQL Injection Attacks
learn advanced exploitation techniques in SQL Injection as well as lesser known flaws such as LDAP, XPATH, XXE etc in 2 days hands on course at Black Hat:

https://www.blackhat.com/us-13...
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.