Risk

2/22/2010
12:28 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

SQL Injections Top Attack Statistics

Cybercriminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems

Special to Dark Reading

SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data.

According to recent published reports, analysis of the Web Hacking Incidents Database (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections.

"One of the reasons we're seeing such an increase in SQL injections is actually sort of what we've dubbed the 'industrialization' of hacking," says Brian Contos, chief security strategist for Imperva. "It's this notion of smart SQL injections leveraging things like Google searches, automation through bots, and various other technologies to carry out sophisticated, automated attacks."

SQL injection attacks are generally carried out by typing malformed SQL commands into front-end Web application input boxes that are tied to database accounts in order to trick the database into offering more access to information than the developer intended.

Part of the reason for such a huge rise in SQL injection during the past year to 18 months is the fact that criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems, Contos says. They use the attacks to both steal information from databases and to inject malicious code into these databases as a means to perpetrate further attacks.

"It doesn't really matter who you are or how big your company is or how sensitive the data may or may not be within the database," he says. "It really is a function of the fact that you just happen to be online, and if you have these vulnerabilities, [the bots] will find you."

Tom Cross, a vulnerability researcher for IBM ISS X-Force, says his team also has seen SQL injection attacks increase via automated attacks. "[SQL injection] automated attacks ... are being launched across the Internet, and the purpose of those attacks is really to inject JavaScript redirectors into Web pages so that legitimate Web pages end up redirecting their users to exploit toolkits that end up exploiting vulnerabilities in the victims' browsers and taking over their PCs," Cross says.

Because SQL injection attacks have become so prevalent and often come via automated attacks, Imperva's Contos suggests organizations add another layer of protection between the database and the application accessing it during authentication. By utilizing CAPTCHA technology and requiring users to enter a random series of letters displayed in an image into a text box, organizations can go a long way toward thwarting automated attacks.

Then, of course, a lot of SQL injection prevention on the database side comes down to the basics, Contos says.

First, he recommends DBAs and developers not allow such robust error messages to be displayed when a user enters something weird into an input box. "If I'm an attacker, I'm probably not going to be able to get into the database on the first shot, but what I am going to do is some recon," he explains. "If I can get that database to respond with an error message and tell me all sorts of good stuff, like, 'Hey, I'm Oracle 9i, I'm this, I'm that,' that helps attackers carry out future attacks."

Organizations should also avoid leaving detailed comments and old copies of the database on the same system. While comments might help considerably during development troubleshoots, if left on production systems, they can only help aid attackers.

Finally, and perhaps most important, when it comes to SQL injection attack prevention, be sure to do input and output validation. "Have filters so you're validating exactly what's coming in, and then you can do output validation, too, out up and through the Web application," he says. "If you're expecting an integer, only allow integers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19220
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
CVE-2018-19221
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
CVE-2018-19222
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
CVE-2018-19223
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
CVE-2018-19224
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.