Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Over 70 SQL Injection Attacks Take Place Per Hour

Imperva : 22 September, 2011  (Technical Article)
Research undertaken by Imperva reveals the volume of SQL attaks taking place and the ease with which hackers continue to execute them
Over 70 SQL Injection Attacks Take Place Per Hour
Imperva’s Hacker Intelligence Initiative (HII) has revealed the prevalence and intensity of SQL injection attacks.  The report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.

“SQL injection probably the most costly vulnerability in the history of software,” explained Imperva CTO Amichai Shulman.  "This exploit is used to great effect by the hacking community since it is the primary way to steal sensitive data from web applications.  However, this issue, ironically, remains one of the least understood."

Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga’s Web sites were compromised by hackers who used SQL injection to break-in to the application’s backend database.  LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal.  Since 2005, SQL injection has been responsible for 83% of successful hacking-related data breaches.  It is estimated that there are a total of 115,048,024 SQL injection vulnerabilities in active circulation today.  A hacker in a forum boasted, “Finding SQLI Vulnerable sits is extremely easy all you need to do is some Googling."

By monitoring a set of 30 web applications over the last nine months, Imperva found:

* SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.

* Attackers are increasingly bypassing simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.

* Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.

* Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These “zombies” are used in an interchangeable manner in order to defeat black-listing defense mechanisms.

* About 41% of all SQLi attacks originated from just 10 hosts.  Again, we see a pattern where a small number of sources are responsible for a majority of attacks.

To better deal with the problem, enterprises should:

* Detect SQL injection attack using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. The detection engine must normalize the inspected input to avoid evasion attempts.

* Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.

* Create and deploy a black list of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo