Download - SQL Injection - The Unknown Story
![Page 1: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/1.jpg)
SQL Injection – The Unknown Story Rob Rachwald, Director of Security Strategy, Imperva Live Webinar - October 26, 2011
![Page 2: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/2.jpg)
Agenda
SQL Injection: A Short Primer
SQL Injection Today +Attack Statistics
+Attack Process
+Attack Tools
Mitigation Checklist
![Page 3: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/3.jpg)
Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva
Research +Directs security strategy
+Works with the Imperva Application Defense Center
Security experience +Fortify Software and Coverity
+Helped secure Intel’s supply chain software
+Extensive international experience in Japan, China, France, and Australia
Thought leadership +Presented at RSA, InfoSec, OWASP, ISACA
+Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
![Page 4: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/4.jpg)
SQL Injection Primer
![Page 5: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/5.jpg)
Reason for Data Loss from Hacking: 2005-2011
SQL injection 83%
Other 17%
Total=315,424,147 records (856 breaches)
Source: Privacy Rights Clearinghouse
![Page 6: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/6.jpg)
Total Web Application Vulnerabilities
: # of websites (estimated: July 2011)*
# of vulnerabilities**
357,292,065
230 x
1%
821,771,600 vulnerabilities in active circulation
*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html **Source: https://www.whitehatsec.com/home/resource/stats.
:
![Page 7: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/7.jpg)
How Many SQL Injections?
What About SQL Injections?
10%? 82,177,160
20%? 164,354,320
30%? 246,531,480
821,771,600 vulnerabilities in active circulation
![Page 8: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/8.jpg)
SQL Injection Means Business, Literally
![Page 9: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/9.jpg)
SQL Injection: Defined
![Page 10: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/10.jpg)
SQL Injection: Technical Impact
Retrieve sensitive data from the organization
Steal the site’s administrator password
Lead to the downloading of malware
![Page 11: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/11.jpg)
SQL Injection: Business Impact
Breach Date March 15, 2011
Breach Date January 19, 2009
![Page 12: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/12.jpg)
SQL Injection Today: Attack Stats
![Page 13: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/13.jpg)
Still a Very Relevant Attack
On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.
![Page 14: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/14.jpg)
SQL Injections By the Hour
![Page 15: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/15.jpg)
Majority of Attacks from Small Number of Hosts
41% of all SQLi attacks originated from just 10 hosts
![Page 16: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/16.jpg)
SQL Injection Today: Attack Process
![Page 17: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/17.jpg)
Hackers Increasingly Bypass Simple Defenses
1'/**/aND/**/'8'='3
1 DeClARe @x varchar(99) set @x=0x77616974666f722064656c61792027303a303a323027 exec(@x)--
concat() and char()
x' wAiTfOr dELay '0:0:20'--
![Page 18: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/18.jpg)
Getting Started
Option 1a: Dorking +Intent: Find something generally vulnerable
Option 1b: General purpose scanner +Intent: Find something specifically vulnerable
![Page 19: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/19.jpg)
Step 1a: Google Dorks
![Page 20: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/20.jpg)
Step 1a: Google Dorks
What is It? A google search term targeted at finding vulnerable websites.
How Does It Work?
An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an
attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are
potentially vulnerable.
![Page 21: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/21.jpg)
Dorking in Action
![Page 22: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/22.jpg)
Automated Dorking (Desktop)
![Page 23: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/23.jpg)
Carrying Out Attacks via Compromised Hosts
![Page 24: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/24.jpg)
Dork Power: Queries Per Hour
![Page 25: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/25.jpg)
Dork Power: Queries Per Day
![Page 26: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/26.jpg)
Dorking in Action (Non SQL Example)
![Page 27: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/27.jpg)
Dork Origins
Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
![Page 28: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/28.jpg)
Step 1b: Scanners
Choose the target site
Scan it with scanner to find vulnerabilities
Expand the vulnerability into full blown exploit
![Page 29: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/29.jpg)
Step 1b: Automated Scanning, Service
![Page 30: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/30.jpg)
Step 1b: Automated Scanning, Service
![Page 31: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/31.jpg)
Step 3: Automated Attack Tools
SQLmap
Havij
![Page 32: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/32.jpg)
Automated Tools
Havij/SQLmap pick up where scanner stops and exploit the application
+Inserts sql statements
+Will not scan full app, just specific areas. Makes a small hole really big
+Fetches specific information, such as column data
![Page 33: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/33.jpg)
SQLi Attack Vectors
Direct query manipulation
Discovering the database structure
Union Select SQL injection
Time-based blind SQL injection
Bypassing simple parameter sanitation
![Page 34: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/34.jpg)
Step 4: Harvest
![Page 35: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/35.jpg)
SQL Injection Today: Attack Tools
![Page 36: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/36.jpg)
Main Automated Attack Tools
SQLmap
Havij
![Page 37: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/37.jpg)
Attacks From Automated Tools
![Page 38: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/38.jpg)
Mitigation Checklist
![Page 39: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/39.jpg)
Step 1: Dork Yourself
Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers.
Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers.
Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
![Page 40: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/40.jpg)
Step 2: Create and Deploy a Blacklist of Hosts that Initiated SQLi Attacks
Positives +Blocks up to 40% of
attack traffic
+Easy
Negatives +Does not deal with the
underlying problem
![Page 41: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/41.jpg)
Step 3: Use a WAF to Detect/Block Attacks
Positives +Can block many attacks
+Relatively easy
+Can accelerate SDLC
Negatives +Can become a crutch
+Potential for false positives
![Page 42: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/42.jpg)
Step 4: WAF + Vulnerability Scanner
“Security No-Brainer #9: Application Vulnerability Scanners
Should Communicate with Application Firewalls”
—Neil MacDonald, Gartner
Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/
![Page 43: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/43.jpg)
Apply SecureSphere policies based on scan results
Monitor attempts to exploit known vulnerabilities
Fix and test vulnerabilities on your schedule
Virtual Patching through Scanner Integration
Customer Site
Scanner finds vulnerabilities
SecureSphere imports scan results Monitor and protect
Web applications
![Page 44: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/44.jpg)
Step 5: Stop Automated Attack Tools
Positives
+Detects automated tool fingerprints to block many attacks
+Relatively easy
Negatives +Potential for false
positives
![Page 45: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/45.jpg)
Step 6: Code Fixing
Positives +Root cause fixed
+Earlier is cheaper
Negatives +Expensive, time
consuming
+Never-ending process
![Page 46: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/46.jpg)
Summary: The Anti-SQL Stack
Code Fixing
Dork Yourself
Blacklist
WAF
WAF + VA
Stop Automated Attacks
![Page 47: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/47.jpg)
About Imperva
![Page 48: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/48.jpg)
Usage Audit
Access Control
Rights Management
Attack Protection
Reputation Controls
Virtual Patching
Our Story in 60 Seconds
![Page 49: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/49.jpg)
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link
ADC Research Report
Get LinkedIn to Imperva Data Security Direct for…
![Page 50: SQL Injection - The Unknown Story](https://reader033.vdocument.in/reader033/viewer/2022061221/54bcb36e4a7959ad468b4590/html5/thumbnails/50.jpg)
www.imperva.com