SQL Injection – The Unknown StoryRob Rachwald, Director of Security Strategy, ImpervaLive Webinar - October 26, 2011
Agenda SQL Injection: A Short Primer SQL Injection Today + Attack Statistics + Attack Process + Attack Tools Mitigation Checklist
Today’s PresenterRob Rachwald, Dir. of Security Strategy, Imperva Research + Directs security strategy + Works with the Imperva Application Defense Center Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today Graduated from University of California, Berkeley
Reason for Data Loss from Hacking: 2005-2011 Other 17% SQL injection 83% Total=315,424,147 records (856 breaches)Source: Privacy Rights Clearinghouse
Total Web Application Vulnerabilities # of websites (estimated: July 2011)* : 357,292,065 x # of vulnerabilities** : 230 1% 821,771,600 vulnerabilities in active circulation*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html**Source: https://www.whitehatsec.com/home/resource/stats.
How Many SQL Injections? 821,771,600 vulnerabilities in active circulation What About SQL Injections? 10%? 82,177,160 20%? 164,354,320 30%? 246,531,480
Step 1a: Google Dorks What is It? A google search term targeted at finding vulnerable websites. How Does It Work? An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are potentially vulnerable.
Dork Origins Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
Step 1b: Scanners Choose the target site Scan it with scanner to find vulnerabilities Expand the vulnerability into full blown exploit
Automated Tools Havij/SQLmap pick up where scanner stops and exploit the application + Inserts sql statements + Will not scan full app, just specific areas. Makes a small hole really big + Fetches specific information, such as column data
SQLi Attack Vectors Direct query manipulation Discovering the database structure Union Select SQL injection Time-based blind SQL injection Bypassing simple parameter sanitation
Step 1: Dork Yourself Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers. Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers. Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
Step 2: Create and Deploy a Blacklist of Hoststhat Initiated SQLi Attacks Positives + Blocks up to 40% of attack traffic + Easy Negatives + Does not deal with the underlying problem
Step 3: Use a WAF to Detect/Block Attacks Positives + Can block many attacks + Relatively easy + Can accelerate SDLC Negatives + Can become a crutch + Potential for false positives
Virtual Patching through Scanner Integration Apply SecureSphere policies based on scan results Monitor attempts to exploit known vulnerabilities Fix and test vulnerabilities on your schedule Scanner finds vulnerabilities Customer Site SecureSphere importsMonitor and protect scan results Web applications
Step 5: Stop Automated Attack Tools Positives + Detects automated tool fingerprints to block many attacks + Relatively easy Negatives + Potential for false positives
Step 6: Code Fixing Positives + Root cause fixed + Earlier is cheaper Negatives + Expensive, time consuming + Never-ending process
Summary: The Anti-SQL Stack Dork Yourself Blacklist WAF WAF + VA Stop Automated Attacks Code Fixing