Embed Size (px)
DESCRIPTION
Citation preview
SQL Injection – The Unknown Story Rob Rachwald, Director of Security Strategy, Imperva Live Webinar - October 26, 2011
Agenda
SQL Injection: A Short Primer
SQL Injection Today +Attack Statistics
+Attack Process
+Attack Tools
Mitigation Checklist
Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva
Research +Directs security strategy
+Works with the Imperva Application Defense Center
Security experience +Fortify Software and Coverity
+Helped secure Intel’s supply chain software
+Extensive international experience in Japan, China, France, and Australia
Thought leadership +Presented at RSA, InfoSec, OWASP, ISACA
+Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
SQL Injection Primer
Reason for Data Loss from Hacking: 2005-2011
SQL injection 83%
Other 17%
Total=315,424,147 records (856 breaches)
Source: Privacy Rights Clearinghouse
Total Web Application Vulnerabilities
: # of websites (estimated: July 2011)*
# of vulnerabilities**
357,292,065
230 x
1%
821,771,600 vulnerabilities in active circulation
*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html **Source: https://www.whitehatsec.com/home/resource/stats.
:
How Many SQL Injections?
What About SQL Injections?
10%? 82,177,160
20%? 164,354,320
30%? 246,531,480
821,771,600 vulnerabilities in active circulation
SQL Injection Means Business, Literally
SQL Injection: Defined
SQL Injection: Technical Impact
Retrieve sensitive data from the organization
Steal the site’s administrator password
Lead to the downloading of malware
SQL Injection: Business Impact
Breach Date March 15, 2011
Breach Date January 19, 2009
SQL Injection Today: Attack Stats
Still a Very Relevant Attack
On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.
SQL Injections By the Hour
Majority of Attacks from Small Number of Hosts
41% of all SQLi attacks originated from just 10 hosts
SQL Injection Today: Attack Process
Hackers Increasingly Bypass Simple Defenses
1'/**/aND/**/'8'='3
1 DeClARe @x varchar(99) set @x=0x77616974666f722064656c61792027303a303a323027 exec(@x)--
concat() and char()
x' wAiTfOr dELay '0:0:20'--
Getting Started
Option 1a: Dorking +Intent: Find something generally vulnerable
Option 1b: General purpose scanner +Intent: Find something specifically vulnerable
Step 1a: Google Dorks
Step 1a: Google Dorks
What is It? A google search term targeted at finding vulnerable websites.
How Does It Work?
An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an
attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are
potentially vulnerable.
Dorking in Action
Automated Dorking (Desktop)
Carrying Out Attacks via Compromised Hosts
Dork Power: Queries Per Hour
Dork Power: Queries Per Day
Dorking in Action (Non SQL Example)
Dork Origins
Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
Step 1b: Scanners
Choose the target site
Scan it with scanner to find vulnerabilities
Expand the vulnerability into full blown exploit
Step 1b: Automated Scanning, Service
Step 1b: Automated Scanning, Service
Step 3: Automated Attack Tools
SQLmap
Havij
Automated Tools
Havij/SQLmap pick up where scanner stops and exploit the application
+Inserts sql statements
+Will not scan full app, just specific areas. Makes a small hole really big
+Fetches specific information, such as column data
SQLi Attack Vectors
Direct query manipulation
Discovering the database structure
Union Select SQL injection
Time-based blind SQL injection
Bypassing simple parameter sanitation
Step 4: Harvest
SQL Injection Today: Attack Tools
Main Automated Attack Tools
SQLmap
Havij
Attacks From Automated Tools
Mitigation Checklist
Step 1: Dork Yourself
Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers.
Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers.
Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
Step 2: Create and Deploy a Blacklist of Hosts that Initiated SQLi Attacks
Positives +Blocks up to 40% of
attack traffic
+Easy
Negatives +Does not deal with the
underlying problem
Step 3: Use a WAF to Detect/Block Attacks
Positives +Can block many attacks
+Relatively easy
+Can accelerate SDLC
Negatives +Can become a crutch
+Potential for false positives
Step 4: WAF + Vulnerability Scanner
“Security No-Brainer #9: Application Vulnerability Scanners
Should Communicate with Application Firewalls”
—Neil MacDonald, Gartner
Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/
Apply SecureSphere policies based on scan results
Monitor attempts to exploit known vulnerabilities
Fix and test vulnerabilities on your schedule
Virtual Patching through Scanner Integration
Customer Site
Scanner finds vulnerabilities
SecureSphere imports scan results Monitor and protect
Web applications
Step 5: Stop Automated Attack Tools
Positives
+Detects automated tool fingerprints to block many attacks
+Relatively easy
Negatives +Potential for false
positives
Step 6: Code Fixing
Positives +Root cause fixed
+Earlier is cheaper
Negatives +Expensive, time
consuming
+Never-ending process
Summary: The Anti-SQL Stack
Code Fixing
Dork Yourself
Blacklist
WAF
WAF + VA
Stop Automated Attacks
About Imperva
Usage Audit
Access Control
Rights Management
Attack Protection
Reputation Controls
Virtual Patching
Our Story in 60 Seconds
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link
ADC Research Report
Get LinkedIn to Imperva Data Security Direct for…
www.imperva.com
