Risk
2/22/2010
12:28 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

SQL Injections Top Attack Statistics

Cybercriminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems

Special to Dark Reading

SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data.

According to recent published reports, analysis of the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections.

"One of the reasons we're seeing such an increase in SQL injections is actually sort of what we've dubbed the 'industrialization' of hacking," says Brian Contos, chief security strategist for Imperva. "It's this notion of smart SQL injections leveraging things like Google searches, automation through bots, and various other technologies to carry out sophisticated, automated attacks."

SQL injection attacks are generally carried out by typing malformed SQL commands into front-end Web application input boxes that are tied to database accounts in order to trick the database into offering more access to information than the developer intended.

Part of the reason for such a huge rise in SQL injection during the past year to 18 months is the fact that criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems, Contos says. They use the attacks to both steal information from databases and to inject malicious code into these databases as a means to perpetrate further attacks.

"It doesn't really matter who you are or how big your company is or how sensitive the data may or may not be within the database," he says. "It really is a function of the fact that you just happen to be online, and if you have these vulnerabilities, [the bots] will find you."

Tom Cross, a vulnerability researcher for IBM ISS X-Force, says his team also has seen SQL injection attacks increase via automated attacks. "[SQL injection] automated attacks ... are being launched across the Internet, and the purpose of those attacks is really to inject JavaScript redirectors into Web pages so that legitimate Web pages end up redirecting their users to exploit toolkits that end up exploiting vulnerabilities in the victims' browsers and taking over their PCs," Cross says.

Because SQL injection attacks have become so prevalent and often come via automated attacks, Imperva's Contos suggests organizations add another layer of protection between the database and the application accessing it during authentication. By utilizing CAPTCHA technology and requiring users to enter a random series of letters displayed in an image into a text box, organizations can go a long way toward thwarting automated attacks.

Then, of course, a lot of SQL injection prevention on the database side comes down to the basics, Contos says.

First, he recommends DBAs and developers not allow such robust error messages to be displayed when a user enters something weird into an input box. "If I'm an attacker, I'm probably not going to be able to get into the database on the first shot, but what I am going to do is some recon," he explains. "If I can get that database to respond with an error message and tell me all sorts of good stuff, like, 'Hey, I'm Oracle 9i, I'm this, I'm that,' that helps attackers carry out future attacks."

Organizations should also avoid leaving detailed comments and old copies of the database on the same system. While comments might help considerably during development troubleshoots, if left on production systems, they can only help aid attackers.

Finally, and perhaps most important, when it comes to SQL injection attack prevention, be sure to do input and output validation. "Have filters so you're validating exactly what's coming in, and then you can do output validation, too, out up and through the Web application," he says. "If you're expecting an integer, only allow integers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.