Imperva has released a report on the anatomy of the SQL injection attacks. Well, its not much about the anatomy, but more about how, from where and when are the thing covered in this report. The report is prepared after monitoring a set of 30 web applications over the last nine months. Key excerpt from the report is below.
- SQL Injection continues to be a very relevant attack. Since July, the observed Web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour.
- Attackers increasingly bypass simple defenses. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defense mechanisms.
- Hackers use readily-available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
- Attackers use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These .zombies. are used in an interchangeable manner in order to defeat black-listing defence mechanisms.
- About 41% of all SQLi attacks originated from just 10 hosts. Again, we see a pattern where a small number of sources are responsible for a majority of attacks.
To better deal with the problem, enterprises should:
- Detect SQL injection attack. Using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. Detecting SQLi must normalize the inspected input to avoid evasion attempts.
- Identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
- Create and deploy a blacklist of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.
In this report, we discuss some of the most popular tools as we outline the challenge of . and solutions to . SQLi attacks targeting Web applications. The full report is available here for download.