Imperva research finds SQL Injection attacks bypass web security

"SQLi is probably the most costly vulnerability in the history of software," commentsd Imperva CTO Amichai Shulman, adding that it is now the primary method for stealing sensitive data from web applications. "However, this issue, ironically, remains one of the least understood," he says, explaining that some of the highest profile successful attacks were achieved via SQLi and that the hacktivist group LulzSec uses the method as a key weapon in its arsenal. "From 2005 through today, SQL injection has been responsible for 83% of successful hacking-related data breaches," says Shulman. "It is estimated that there are a total of 115,048,024 SQL injection vulnerabilities in active circulation today." Imperva's report shows that, since July, observed web applications have suffered on average an astonishing 71 SQLi attempts per hour. Specific applications were occasionally under aggressive attacks and at their peak, were attacked 800-1300 times per hour. "Attackers are increasingly bypassing simple defences [and] using new SQLi variants that allow the evasion of simple signature-based defence mechanisms," warns Shulman. And advises that attack techniques are constantly evolving and that carrying out the attack does not require any hacking knowledge – with common attack tools including Sqlmap and Havij. "To better deal with the problem, enterprises should first detect SQL injection attack using a combination of application layer knowledge and a preconfigured database of attack vector formats. The detection engine must also normalise the inspected input to avoid evasion attempts," states Shulman. "Second, identify access patterns of automated tools. In practice, SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges. "Third, create and deploy a black list of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Since we observed that the active period of host initiating SQLi is short, it is important to constantly update the list from various sources."