Attacks/Breaches
9/20/2011
09:52 AM
50%
50%

8 Techniques To Block SQL Attacks

SQL injection attacks hit Web applications 71 times per hour on average, but can peak at 1,300 unique attacks per hour or more. Consider this security advice to stop SQL attacks.

On average, Web applications see 71 attempted SQL injection attacks per hour. But during attack peaks, Web applications can see 1,300 unique attacks per hour.

Those findings come from security vendor Imperva, which on Monday released new research into SQL injection attacks. For its study, Imperva said it monitored 30 different Web applications--all of them real, of varying size, and used across different industries--during the past nine months. In that timeframe, Imperva saw the number of daily SQL injection attacks launched against Web applications increase by an average of 34%.

Attacks against Web applications, unfortunately, were already quite effective. Since 2005, Web attacks have accounted for 83% of successful hacking-related data breaches, according to Privacy Rights Clearinghouse. The reason is simple: Most Web applications have vulnerabilities that can be easily exploited by attackers.

The availability of automated penetration testing tools eases the work. Just on the SQL injection front, for example, open source Sqlmap can launch five different types of SQL injection attacks. Also popular--and used by LulzSec, among others--is Havij, an automated Windows SQL injection tool distributed by Iranian security company ITSecTeam. Both tools can fingerprint (identify) individual databases, retrieve username and password hashes, dump columns and tables, run SQL, and sometimes even executive commands via the database server operating system.

[Anatomy of a Zero-Day Attack: Pacific Northwest National Laboratory CIO Jerry Johnson takes you inside the cyber attack that he faced down--and shares his security lessons learned.]

With such tools in circulation, and Web application vulnerabilities at large, what can businesses do to better safeguard themselves? When it comes to stopping SQL injection attacks, start with these pieces of advice:

1. Blacklist malicious hosts. Nearly one-quarter of SQL injection attacks seen by Imperva in July, 2011 came from just three hosts. Furthermore, half of the top 10 hosts that launched SQL attacks generated up to 2,000 attacks over a period of between one and seven days, and 30 more hosts generated at least 100 attacks over a 48-hour period. All of this means that the most dangerous hosts can be identified, and then blacklisted against database access.

2. Pool resources. Businesses that share intelligence on SQL injection attacks could have a better picture of which hosts were launching such attacks. That said, according to Imperva, "the update rate of the blacklist must be high in order to keep up with new threats," because on average hosts only remain active for half a day.

3. Minimize access. Restrict the data that any given Web application can retrieve from a database. Never allow admin-level access to a database from a Web application.

4. Encrypt data. Never store data in plain text format. Rather, encrypt data, and at least salt and hash passwords, so that if attackers do manage to dump your database, they'll extract fewer pieces of high-value information.

5. Distrust users. "All input is evil." That's one essential Web application security mantra, according to Microsoft. What it means is that in an ideal scenario, Web application developers would only allow the inputs that they expect to receive, and would block all others.

6. Profile applications. Understand normal Web application behavior, so you can quickly identify when the application is behaving abnormally, such as attempting to execute many more database lookups than normal, or using unusual inputs.

7. Normalize inputs. Normalize database inputs--"to avoid evasion attempts," said Imperva--then compare them against a database of known-bad inputs, to spot in-progress attacks.

8. Watch for automation. Since most SQL injection attacks are launched using automated tools, watch for indications of this technique. According to Imperva, "various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges."

The above techniques will help IT teams block SQL injection attacks. They won't stop every last Web application attack, but given the prevalence of vulnerabilities in those applications, as well as attackers' ability to successfully exploit the flaws, businesses can use all of the help that they can get.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.