09:52 AM

8 Techniques To Block SQL Attacks

SQL injection attacks hit Web applications 71 times per hour on average, but can peak at 1,300 unique attacks per hour or more. Consider this security advice to stop SQL attacks.

On average, Web applications see 71 attempted SQL injection attacks per hour. But during attack peaks, Web applications can see 1,300 unique attacks per hour.

Those findings come from security vendor Imperva, which on Monday released new research into SQL injection attacks. For its study, Imperva said it monitored 30 different Web applications--all of them real, of varying size, and used across different industries--during the past nine months. In that timeframe, Imperva saw the number of daily SQL injection attacks launched against Web applications increase by an average of 34%.

Attacks against Web applications, unfortunately, were already quite effective. Since 2005, Web attacks have accounted for 83% of successful hacking-related data breaches, according to Privacy Rights Clearinghouse. The reason is simple: Most Web applications have vulnerabilities that can be easily exploited by attackers.

The availability of automated penetration testing tools eases the work. Just on the SQL injection front, for example, open source Sqlmap can launch five different types of SQL injection attacks. Also popular--and used by LulzSec, among others--is Havij, an automated Windows SQL injection tool distributed by Iranian security company ITSecTeam. Both tools can fingerprint (identify) individual databases, retrieve username and password hashes, dump columns and tables, run SQL, and sometimes even executive commands via the database server operating system.

[Anatomy of a Zero-Day Attack: Pacific Northwest National Laboratory CIO Jerry Johnson takes you inside the cyber attack that he faced down--and shares his security lessons learned.]

With such tools in circulation, and Web application vulnerabilities at large, what can businesses do to better safeguard themselves? When it comes to stopping SQL injection attacks, start with these pieces of advice:

1. Blacklist malicious hosts. Nearly one-quarter of SQL injection attacks seen by Imperva in July, 2011 came from just three hosts. Furthermore, half of the top 10 hosts that launched SQL attacks generated up to 2,000 attacks over a period of between one and seven days, and 30 more hosts generated at least 100 attacks over a 48-hour period. All of this means that the most dangerous hosts can be identified, and then blacklisted against database access.

2. Pool resources. Businesses that share intelligence on SQL injection attacks could have a better picture of which hosts were launching such attacks. That said, according to Imperva, "the update rate of the blacklist must be high in order to keep up with new threats," because on average hosts only remain active for half a day.

3. Minimize access. Restrict the data that any given Web application can retrieve from a database. Never allow admin-level access to a database from a Web application.

4. Encrypt data. Never store data in plain text format. Rather, encrypt data, and at least salt and hash passwords, so that if attackers do manage to dump your database, they'll extract fewer pieces of high-value information.

5. Distrust users. "All input is evil." That's one essential Web application security mantra, according to Microsoft. What it means is that in an ideal scenario, Web application developers would only allow the inputs that they expect to receive, and would block all others.

6. Profile applications. Understand normal Web application behavior, so you can quickly identify when the application is behaving abnormally, such as attempting to execute many more database lookups than normal, or using unusual inputs.

7. Normalize inputs. Normalize database inputs--"to avoid evasion attempts," said Imperva--then compare them against a database of known-bad inputs, to spot in-progress attacks.

8. Watch for automation. Since most SQL injection attacks are launched using automated tools, watch for indications of this technique. According to Imperva, "various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges."

The above techniques will help IT teams block SQL injection attacks. They won't stop every last Web application attack, but given the prevalence of vulnerabilities in those applications, as well as attackers' ability to successfully exploit the flaws, businesses can use all of the help that they can get.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.