Attacks/Breaches
9/20/2011
09:52 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

8 Techniques To Block SQL Attacks

SQL injection attacks hit Web applications 71 times per hour on average, but can peak at 1,300 unique attacks per hour or more. Consider this security advice to stop SQL attacks.

On average, Web applications see 71 attempted SQL injection attacks per hour. But during attack peaks, Web applications can see 1,300 unique attacks per hour.

Those findings come from security vendor Imperva, which on Monday released new research into SQL injection attacks. For its study, Imperva said it monitored 30 different Web applications--all of them real, of varying size, and used across different industries--during the past nine months. In that timeframe, Imperva saw the number of daily SQL injection attacks launched against Web applications increase by an average of 34%.

Attacks against Web applications, unfortunately, were already quite effective. Since 2005, Web attacks have accounted for 83% of successful hacking-related data breaches, according to Privacy Rights Clearinghouse. The reason is simple: Most Web applications have vulnerabilities that can be easily exploited by attackers.

The availability of automated penetration testing tools eases the work. Just on the SQL injection front, for example, open source Sqlmap can launch five different types of SQL injection attacks. Also popular--and used by LulzSec, among others--is Havij, an automated Windows SQL injection tool distributed by Iranian security company ITSecTeam. Both tools can fingerprint (identify) individual databases, retrieve username and password hashes, dump columns and tables, run SQL, and sometimes even executive commands via the database server operating system.

[Anatomy of a Zero-Day Attack: Pacific Northwest National Laboratory CIO Jerry Johnson takes you inside the cyber attack that he faced down--and shares his security lessons learned.]

With such tools in circulation, and Web application vulnerabilities at large, what can businesses do to better safeguard themselves? When it comes to stopping SQL injection attacks, start with these pieces of advice:

1. Blacklist malicious hosts. Nearly one-quarter of SQL injection attacks seen by Imperva in July, 2011 came from just three hosts. Furthermore, half of the top 10 hosts that launched SQL attacks generated up to 2,000 attacks over a period of between one and seven days, and 30 more hosts generated at least 100 attacks over a 48-hour period. All of this means that the most dangerous hosts can be identified, and then blacklisted against database access.

2. Pool resources. Businesses that share intelligence on SQL injection attacks could have a better picture of which hosts were launching such attacks. That said, according to Imperva, "the update rate of the blacklist must be high in order to keep up with new threats," because on average hosts only remain active for half a day.

3. Minimize access. Restrict the data that any given Web application can retrieve from a database. Never allow admin-level access to a database from a Web application.

4. Encrypt data. Never store data in plain text format. Rather, encrypt data, and at least salt and hash passwords, so that if attackers do manage to dump your database, they'll extract fewer pieces of high-value information.

5. Distrust users. "All input is evil." That's one essential Web application security mantra, according to Microsoft. What it means is that in an ideal scenario, Web application developers would only allow the inputs that they expect to receive, and would block all others.

6. Profile applications. Understand normal Web application behavior, so you can quickly identify when the application is behaving abnormally, such as attempting to execute many more database lookups than normal, or using unusual inputs.

7. Normalize inputs. Normalize database inputs--"to avoid evasion attempts," said Imperva--then compare them against a database of known-bad inputs, to spot in-progress attacks.

8. Watch for automation. Since most SQL injection attacks are launched using automated tools, watch for indications of this technique. According to Imperva, "various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges."

The above techniques will help IT teams block SQL injection attacks. They won't stop every last Web application attack, but given the prevalence of vulnerabilities in those applications, as well as attackers' ability to successfully exploit the flaws, businesses can use all of the help that they can get.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web