SQL Injection - The Unknown Story
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

SQL Injection - The Unknown Story

on

  • 1,737 views

 

Statistics

Views

Total Views
1,737
Views on SlideShare
1,722
Embed Views
15

Actions

Likes
2
Downloads
36
Comments
0

2 Embeds 15

http://www.linkedin.com 14
http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SQL Injection - The Unknown Story Presentation Transcript

  • 1. SQL Injection – The Unknown StoryRob Rachwald, Director of Security Strategy, ImpervaLive Webinar - October 26, 2011
  • 2. Agenda SQL Injection: A Short Primer SQL Injection Today + Attack Statistics + Attack Process + Attack Tools Mitigation Checklist
  • 3. Today’s PresenterRob Rachwald, Dir. of Security Strategy, Imperva Research + Directs security strategy + Works with the Imperva Application Defense Center Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today Graduated from University of California, Berkeley
  • 4. SQL Injection Primer
  • 5. Reason for Data Loss from Hacking: 2005-2011 Other 17% SQL injection 83% Total=315,424,147 records (856 breaches)Source: Privacy Rights Clearinghouse
  • 6. Total Web Application Vulnerabilities # of websites (estimated: July 2011)* : 357,292,065 x # of vulnerabilities** : 230 1% 821,771,600 vulnerabilities in active circulation*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html**Source: https://www.whitehatsec.com/home/resource/stats.
  • 7. How Many SQL Injections? 821,771,600 vulnerabilities in active circulation What About SQL Injections?  10%? 82,177,160  20%? 164,354,320  30%? 246,531,480
  • 8. SQL Injection Means Business, Literally
  • 9. SQL Injection: Defined
  • 10. SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware
  • 11. SQL Injection: Business Impact Breach Date March 15, 2011 Breach Date January 19, 2009
  • 12. SQL Injection Today: Attack Stats
  • 13. Still a Very Relevant Attack On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.
  • 14. SQL Injections By the Hour
  • 15. Majority of Attacks from Small Number of Hosts 41% of all SQLi attacks originated from just 10 hosts
  • 16. SQL Injection Today: Attack Process
  • 17. Hackers Increasingly Bypass Simple Defenses 1/**/aND/**/8=31 DeClARe @x varchar(99) set@x=0x77616974666f722064656c61792027303a303a323027exec(@x)-- concat() and char() x wAiTfOr dELay 0:0:20--
  • 18. Getting Started Option 1a: Dorking + Intent: Find something generally vulnerable Option 1b: General purpose scanner + Intent: Find something specifically vulnerable
  • 19. Step 1a: Google Dorks
  • 20. Step 1a: Google Dorks What is It? A google search term targeted at finding vulnerable websites. How Does It Work? An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are potentially vulnerable.
  • 21. Dorking in Action
  • 22. Automated Dorking (Desktop)
  • 23. Carrying Out Attacks via Compromised Hosts
  • 24. Dork Power: Queries Per Hour
  • 25. Dork Power: Queries Per Day
  • 26. Dorking in Action (Non SQL Example)
  • 27. Dork Origins Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
  • 28. Step 1b: Scanners Choose the target site Scan it with scanner to find vulnerabilities Expand the vulnerability into full blown exploit
  • 29. Step 1b: Automated Scanning, Service
  • 30. Step 1b: Automated Scanning, Service
  • 31. Step 3: Automated Attack Tools SQLmap Havij
  • 32. Automated Tools Havij/SQLmap pick up where scanner stops and exploit the application + Inserts sql statements + Will not scan full app, just specific areas. Makes a small hole really big + Fetches specific information, such as column data
  • 33. SQLi Attack Vectors Direct query manipulation Discovering the database structure Union Select SQL injection Time-based blind SQL injection Bypassing simple parameter sanitation
  • 34. Step 4: Harvest
  • 35. SQL Injection Today: Attack Tools
  • 36. Main Automated Attack Tools SQLmap Havij
  • 37. Attacks From Automated Tools
  • 38. Mitigation Checklist
  • 39. Step 1: Dork Yourself Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers. Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers. Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
  • 40. Step 2: Create and Deploy a Blacklist of Hoststhat Initiated SQLi Attacks  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem
  • 41. Step 3: Use a WAF to Detect/Block Attacks Positives + Can block many attacks + Relatively easy + Can accelerate SDLC Negatives + Can become a crutch + Potential for false positives
  • 42. Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, GartnerSource: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/
  • 43. Virtual Patching through Scanner Integration Apply SecureSphere policies based on scan results Monitor attempts to exploit known vulnerabilities Fix and test vulnerabilities on your schedule Scanner finds vulnerabilities Customer Site SecureSphere importsMonitor and protect scan results Web applications
  • 44. Step 5: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block many attacks + Relatively easy  Negatives + Potential for false positives
  • 45. Step 6: Code Fixing  Positives + Root cause fixed + Earlier is cheaper  Negatives + Expensive, time consuming + Never-ending process
  • 46. Summary: The Anti-SQL Stack Dork Yourself Blacklist WAF WAF + VA Stop Automated Attacks Code Fixing
  • 47. About Imperva
  • 48. Our Story in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  • 49. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Recording ADC Research Link Report
  • 50. www.imperva.com