SQL Injection – The Unknown StoryRob Rachwald, Director of Security Strategy, ImpervaLive Webinar - October 26, 2011
Agenda SQL Injection: A Short Primer SQL Injection Today   + Attack Statistics   + Attack Process   + Attack Tools Miti...
Today’s PresenterRob Rachwald, Dir. of Security Strategy, Imperva Research   + Directs security strategy   + Works with t...
SQL Injection Primer
Reason for Data Loss from Hacking: 2005-2011                                          Other                               ...
Total Web Application Vulnerabilities   # of websites   (estimated: July 2011)*                    : 357,292,065          ...
How Many SQL Injections?            821,771,600    vulnerabilities in active circulation         What About SQL Injections...
SQL Injection Means Business, Literally
SQL Injection: Defined
SQL Injection: Technical Impact             Retrieve sensitive data from the             organization             Steal th...
SQL Injection: Business Impact        Breach Date       March 15, 2011                              Breach Date           ...
SQL Injection Today: Attack Stats
Still a Very Relevant Attack On average, we identified 53 SQLi attacks per hour and  1,093 attacks per day.
SQL Injections By the Hour
Majority of Attacks from Small Number of Hosts 41% of all SQLi attacks originated from just 10 hosts
SQL Injection Today: Attack Process
Hackers Increasingly Bypass Simple Defenses   1/**/aND/**/8=31 DeClARe @x varchar(99) set@x=0x77616974666f722064656c617920...
Getting Started Option 1a: Dorking   + Intent: Find something generally vulnerable Option 1b: General purpose scanner   ...
Step 1a: Google Dorks
Step 1a: Google Dorks                        What is It?  A google search term targeted at finding vulnerable websites.   ...
Dorking in Action
Automated Dorking (Desktop)
Carrying Out Attacks via Compromised Hosts
Dork Power: Queries Per Hour
Dork Power: Queries Per Day
Dorking in Action (Non SQL Example)
Dork Origins         Country          # of Dork Queries   % of Dork Queries Islamic Republic of Iran      227,554         ...
Step 1b: Scanners Choose the target site Scan it with scanner to find vulnerabilities Expand the vulnerability into ful...
Step 1b: Automated Scanning, Service
Step 1b: Automated Scanning, Service
Step 3: Automated Attack Tools        SQLmap                                 Havij
Automated Tools Havij/SQLmap pick up where scanner stops and exploit  the application    + Inserts sql statements    + Wi...
SQLi Attack Vectors Direct query manipulation Discovering the database structure Union Select SQL injection Time-based...
Step 4: Harvest
SQL Injection Today: Attack Tools
Main Automated Attack Tools       SQLmap                              Havij
Attacks From Automated Tools
Mitigation Checklist
Step 1: Dork Yourself Put detection policies in place (using the data source  monitoring solution) to depict move of sens...
Step 2: Create and Deploy a Blacklist of Hoststhat Initiated SQLi Attacks                       Positives                ...
Step 3: Use a WAF to Detect/Block Attacks Positives   + Can block many attacks   + Relatively easy   + Can accelerate SDL...
Step 4: WAF + Vulnerability Scanner                    “Security No-Brainer #9:                Application Vulnerability S...
Virtual Patching through Scanner Integration Apply SecureSphere policies based on scan results Monitor attempts to explo...
Step 5: Stop Automated Attack Tools                     Positives                       + Detects automated tool         ...
Step 6: Code Fixing                       Positives                         + Root cause fixed                         + ...
Summary: The Anti-SQL Stack              Dork Yourself                Blacklist                  WAF                WAF + ...
About Imperva
Our Story in 60 Seconds        Attack              Usage      Protection            Audit       Virtual              Right...
Webinar Materials Get LinkedIn to Imperva Data Security Direct for…                            Answers to        Post-Webi...
www.imperva.com
Upcoming SlideShare
Loading in...5
×

SQL Injection - The Unknown Story

1,479

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,479
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

SQL Injection - The Unknown Story

  1. 1. SQL Injection – The Unknown StoryRob Rachwald, Director of Security Strategy, ImpervaLive Webinar - October 26, 2011
  2. 2. Agenda SQL Injection: A Short Primer SQL Injection Today + Attack Statistics + Attack Process + Attack Tools Mitigation Checklist
  3. 3. Today’s PresenterRob Rachwald, Dir. of Security Strategy, Imperva Research + Directs security strategy + Works with the Imperva Application Defense Center Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today Graduated from University of California, Berkeley
  4. 4. SQL Injection Primer
  5. 5. Reason for Data Loss from Hacking: 2005-2011 Other 17% SQL injection 83% Total=315,424,147 records (856 breaches)Source: Privacy Rights Clearinghouse
  6. 6. Total Web Application Vulnerabilities # of websites (estimated: July 2011)* : 357,292,065 x # of vulnerabilities** : 230 1% 821,771,600 vulnerabilities in active circulation*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html**Source: https://www.whitehatsec.com/home/resource/stats.
  7. 7. How Many SQL Injections? 821,771,600 vulnerabilities in active circulation What About SQL Injections?  10%? 82,177,160  20%? 164,354,320  30%? 246,531,480
  8. 8. SQL Injection Means Business, Literally
  9. 9. SQL Injection: Defined
  10. 10. SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware
  11. 11. SQL Injection: Business Impact Breach Date March 15, 2011 Breach Date January 19, 2009
  12. 12. SQL Injection Today: Attack Stats
  13. 13. Still a Very Relevant Attack On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.
  14. 14. SQL Injections By the Hour
  15. 15. Majority of Attacks from Small Number of Hosts 41% of all SQLi attacks originated from just 10 hosts
  16. 16. SQL Injection Today: Attack Process
  17. 17. Hackers Increasingly Bypass Simple Defenses 1/**/aND/**/8=31 DeClARe @x varchar(99) set@x=0x77616974666f722064656c61792027303a303a323027exec(@x)-- concat() and char() x wAiTfOr dELay 0:0:20--
  18. 18. Getting Started Option 1a: Dorking + Intent: Find something generally vulnerable Option 1b: General purpose scanner + Intent: Find something specifically vulnerable
  19. 19. Step 1a: Google Dorks
  20. 20. Step 1a: Google Dorks What is It? A google search term targeted at finding vulnerable websites. How Does It Work? An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are potentially vulnerable.
  21. 21. Dorking in Action
  22. 22. Automated Dorking (Desktop)
  23. 23. Carrying Out Attacks via Compromised Hosts
  24. 24. Dork Power: Queries Per Hour
  25. 25. Dork Power: Queries Per Day
  26. 26. Dorking in Action (Non SQL Example)
  27. 27. Dork Origins Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
  28. 28. Step 1b: Scanners Choose the target site Scan it with scanner to find vulnerabilities Expand the vulnerability into full blown exploit
  29. 29. Step 1b: Automated Scanning, Service
  30. 30. Step 1b: Automated Scanning, Service
  31. 31. Step 3: Automated Attack Tools SQLmap Havij
  32. 32. Automated Tools Havij/SQLmap pick up where scanner stops and exploit the application + Inserts sql statements + Will not scan full app, just specific areas. Makes a small hole really big + Fetches specific information, such as column data
  33. 33. SQLi Attack Vectors Direct query manipulation Discovering the database structure Union Select SQL injection Time-based blind SQL injection Bypassing simple parameter sanitation
  34. 34. Step 4: Harvest
  35. 35. SQL Injection Today: Attack Tools
  36. 36. Main Automated Attack Tools SQLmap Havij
  37. 37. Attacks From Automated Tools
  38. 38. Mitigation Checklist
  39. 39. Step 1: Dork Yourself Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers. Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers. Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
  40. 40. Step 2: Create and Deploy a Blacklist of Hoststhat Initiated SQLi Attacks  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem
  41. 41. Step 3: Use a WAF to Detect/Block Attacks Positives + Can block many attacks + Relatively easy + Can accelerate SDLC Negatives + Can become a crutch + Potential for false positives
  42. 42. Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, GartnerSource: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/
  43. 43. Virtual Patching through Scanner Integration Apply SecureSphere policies based on scan results Monitor attempts to exploit known vulnerabilities Fix and test vulnerabilities on your schedule Scanner finds vulnerabilities Customer Site SecureSphere importsMonitor and protect scan results Web applications
  44. 44. Step 5: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block many attacks + Relatively easy  Negatives + Potential for false positives
  45. 45. Step 6: Code Fixing  Positives + Root cause fixed + Earlier is cheaper  Negatives + Expensive, time consuming + Never-ending process
  46. 46. Summary: The Anti-SQL Stack Dork Yourself Blacklist WAF WAF + VA Stop Automated Attacks Code Fixing
  47. 47. About Imperva
  48. 48. Our Story in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  49. 49. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Recording ADC Research Link Report
  50. 50. www.imperva.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×