1. SQL Injection – The Unknown Story
Rob Rachwald, Director of Security Strategy, Imperva
Live Webinar - October 26, 2011
2. Agenda
SQL Injection: A Short Primer
SQL Injection Today
+ Attack Statistics
+ Attack Process
+ Attack Tools
Mitigation Checklist
3. Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva
Research
+ Directs security strategy
+ Works with the Imperva Application Defense Center
Security experience
+ Fortify Software and Coverity
+ Helped secure Intel’s supply chain software
+ Extensive international experience in Japan, China, France, and
Australia
Thought leadership
+ Presented at RSA, InfoSec, OWASP, ISACA
+ Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
5. Reason for Data Loss from Hacking: 2005-2011
Other
17%
SQL injection
83%
Total=315,424,147 records
(856 breaches)
Source: Privacy Rights Clearinghouse
6. Total Web Application Vulnerabilities
# of websites
(estimated: July 2011)* : 357,292,065
x
# of vulnerabilities** : 230
1%
821,771,600
vulnerabilities in active circulation
*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html
**Source: https://www.whitehatsec.com/home/resource/stats.
7. How Many SQL Injections?
821,771,600
vulnerabilities in active circulation
What About SQL Injections?
10%? 82,177,160
20%? 164,354,320
30%? 246,531,480
10. SQL Injection: Technical Impact
Retrieve sensitive data from the
organization
Steal the site’s administrator password
Lead to the downloading of malware
20. Step 1a: Google Dorks
What is It?
A google search term targeted at finding vulnerable websites.
How Does It Work?
An attacker armed with a browser and a dork can start listing
potential attack targets. By using search engine results an
attacker not only lists vulnerable servers but also gets a pretty
accurate idea as to which resources within that server are
potentially vulnerable.
27. Dork Origins
Country # of Dork Queries % of Dork Queries
Islamic Republic of Iran 227,554 41
Hungary 136,445 25
Germany 80,448 15
United States 19,237 3.5
Chile 17,365 3
Thailand 16,717 3
Republic of Korea 11,872 2
France 10,906 2
Belgium 10,661 2
Brazil 7,559 1.5
Other 8,892 2
28. Step 1b: Scanners
Choose the target site
Scan it with scanner to find vulnerabilities
Expand the vulnerability into full blown exploit
32. Automated Tools
Havij/SQLmap pick up where scanner stops and exploit
the application
+ Inserts sql statements
+ Will not scan full app, just specific areas. Makes a small hole
really big
+ Fetches specific information, such as column data
33. SQLi Attack Vectors
Direct query manipulation
Discovering the database structure
Union Select SQL injection
Time-based blind SQL injection
Bypassing simple parameter sanitation
39. Step 1: Dork Yourself
Put detection policies in place (using the data source
monitoring solution) to depict move of sensitive data to
public facing servers.
Regularly schedule “clean ups”. Every once in a
while, a clean-up should be scheduled in order to verify
that no sensitive data resides in these publicly accessible
servers.
Periodically look for new data stores that hold
sensitive data. Tools exist today to assist in the task of
detecting database servers in the network and classifying
their contents.
40. Step 2: Create and Deploy a Blacklist of Hosts
that Initiated SQLi Attacks
Positives
+ Blocks up to 40% of
attack traffic
+ Easy
Negatives
+ Does not deal with the
underlying problem
41. Step 3: Use a WAF to Detect/Block Attacks
Positives
+ Can block many attacks
+ Relatively easy
+ Can accelerate SDLC
Negatives
+ Can become a crutch
+ Potential for false positives
43. Virtual Patching through Scanner Integration
Apply SecureSphere policies based on scan
results
Monitor attempts to exploit known vulnerabilities
Fix and test vulnerabilities on your schedule
Scanner finds
vulnerabilities
Customer
Site
SecureSphere imports
Monitor and protect
scan results
Web applications
44. Step 5: Stop Automated Attack Tools
Positives
+ Detects automated tool
fingerprints to block many
attacks
+ Relatively easy
Negatives
+ Potential for false
positives
45. Step 6: Code Fixing
Positives
+ Root cause fixed
+ Earlier is cheaper
Negatives
+ Expensive, time
consuming
+ Never-ending process
46. Summary: The Anti-SQL Stack
Dork Yourself
Blacklist
WAF
WAF + VA
Stop Automated
Attacks
Code Fixing
48. Our Story in 60 Seconds
Attack Usage
Protection Audit
Virtual Rights
Patching Management
Reputation Access
Controls Control
49. Webinar Materials
Get LinkedIn to
Imperva Data Security Direct for…
Answers to
Post-Webinar
Attendee
Discussions
Questions
Webinar Recording ADC Research
Link Report