Beating Automated SQL Injection Attacks

Sage words from the folks at Imperva along with this sobering reminder from Kevin Minick:  “”All the firewalls and intrusion detection systems in the world won’t be a guarantee that networks won’t be breached.  There’s no such thing as an impenetrable system, and no such thing as bugless software.”

Recently, US banks were warned about automated attacks coming from Havij, a SQL injection attack tool. While we’ve blogged on stopping SQL injection in the past, it is a topic always worth revisiting.

First, let’s make clear what WON’T help.  Earlier this month, Kevin Mitnick gave a talk at the US Naval Academy.  The first lesson?

“All the firewalls and intrusion detection systems in the world won’t be a guarantee that networks won’t be breached.  There’s no such thing as an impenetrable system, and no such thing as bugless software.” Kevin’s demonstration of exploiting vulnerabilities in widely used commercial software proves this. Moreover, this isn’t just software being used in the private sector.  Many of the exploits he demonstrated take advantage of software that’s become an integral part of the way the military handles its information.

Havij exploits vulnerabilities in software and is totally invisible to network firewalls/IPS.  Havij relies on a blind SQL injection vector, so if you protect against it you are safe.  Here’s how:

  1. Negative security model:  Protect against SQL Injection by blacklisting certain known SQL injection manifestations.
  2. Positive security model:  Every injection violates the normal application usage profile.
  3. Identifying automated interactions:  Havij is not human and behaves like a robot.  You can detect it by merely detecting the specific user agent string but also more subtle details such as constant values within the SQL attack itself.
  4. Clean code.

From a technology standpoint, only three types of products will help defeat Havij:

  1. Vulnerability scanners
  2. Code scanners
  3. Web application firewalls

Often, we see companies using vulnerability scanners and, to a much lesser extent, code scanning.  These technologies are very important but they only find issues.  Scanners tell you have problems but you have to figure out where they may be.  Code review gives you a specific line to remediate, but this takes time.  If you are under an imminent Havij attack, these products won’t help with immediate risk.

OWASP has argued in the past that technologies focused on finding vulnerabilities are useful but have one major problem:  they don’t block attacks.  This is why they recommend a web application firewall.  (Full disclosure:  we are a WAF vendor.)  WAFs do provide a shield against immediate attack and–at least in our case–we can recognize Havij and stop it.  Havij does come with some WAF evasion functionality–but it only works on Web Knight and ModSecurity.

Free Database Vulnerability Scanner

Detect high risk vulnerabilities that may be undermining the security of your business. Nearly 1,200 vulnerability tests developed by Imperva’s ADC research team. Get yours now.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: