8 Techniques To Block SQL Attacks

SQL injection attacks hit Web applications 71 times per hour on average, but can peak at 1,300 unique attacks per hour or more. Consider this security advice to stop SQL attacks.

Mathew J. Schwartz, Contributor

September 20, 2011

4 Min Read

On average, Web applications see 71 attempted SQL injection attacks per hour. But during attack peaks, Web applications can see 1,300 unique attacks per hour.

Those findings come from security vendor Imperva, which on Monday released new research into SQL injection attacks. For its study, Imperva said it monitored 30 different Web applications--all of them real, of varying size, and used across different industries--during the past nine months. In that timeframe, Imperva saw the number of daily SQL injection attacks launched against Web applications increase by an average of 34%.

Attacks against Web applications, unfortunately, were already quite effective. Since 2005, Web attacks have accounted for 83% of successful hacking-related data breaches, according to Privacy Rights Clearinghouse. The reason is simple: Most Web applications have vulnerabilities that can be easily exploited by attackers.

The availability of automated penetration testing tools eases the work. Just on the SQL injection front, for example, open source Sqlmap can launch five different types of SQL injection attacks. Also popular--and used by LulzSec, among others--is Havij, an automated Windows SQL injection tool distributed by Iranian security company ITSecTeam. Both tools can fingerprint (identify) individual databases, retrieve username and password hashes, dump columns and tables, run SQL, and sometimes even executive commands via the database server operating system.

[Anatomy of a Zero-Day Attack: Pacific Northwest National Laboratory CIO Jerry Johnson takes you inside the cyber attack that he faced down--and shares his security lessons learned.]

With such tools in circulation, and Web application vulnerabilities at large, what can businesses do to better safeguard themselves? When it comes to stopping SQL injection attacks, start with these pieces of advice:

1. Blacklist malicious hosts. Nearly one-quarter of SQL injection attacks seen by Imperva in July, 2011 came from just three hosts. Furthermore, half of the top 10 hosts that launched SQL attacks generated up to 2,000 attacks over a period of between one and seven days, and 30 more hosts generated at least 100 attacks over a 48-hour period. All of this means that the most dangerous hosts can be identified, and then blacklisted against database access.

2. Pool resources. Businesses that share intelligence on SQL injection attacks could have a better picture of which hosts were launching such attacks. That said, according to Imperva, "the update rate of the blacklist must be high in order to keep up with new threats," because on average hosts only remain active for half a day.

3. Minimize access. Restrict the data that any given Web application can retrieve from a database. Never allow admin-level access to a database from a Web application.

4. Encrypt data. Never store data in plain text format. Rather, encrypt data, and at least salt and hash passwords, so that if attackers do manage to dump your database, they'll extract fewer pieces of high-value information.

5. Distrust users. "All input is evil." That's one essential Web application security mantra, according to Microsoft. What it means is that in an ideal scenario, Web application developers would only allow the inputs that they expect to receive, and would block all others.

6. Profile applications. Understand normal Web application behavior, so you can quickly identify when the application is behaving abnormally, such as attempting to execute many more database lookups than normal, or using unusual inputs.

7. Normalize inputs. Normalize database inputs--"to avoid evasion attempts," said Imperva--then compare them against a database of known-bad inputs, to spot in-progress attacks.

8. Watch for automation. Since most SQL injection attacks are launched using automated tools, watch for indications of this technique. According to Imperva, "various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges."

The above techniques will help IT teams block SQL injection attacks. They won't stop every last Web application attack, but given the prevalence of vulnerabilities in those applications, as well as attackers' ability to successfully exploit the flaws, businesses can use all of the help that they can get.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights