RealTime IT News

SQL Injection Threatens to Needle Web Users

As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.

While folks wring their hands over the Slammer worm or other non-specific buffer overflows, at least they can patch those generalized attacks when they detected them.

Not every security vulnerability is so easily neutralized. Hackers looking to hijack your computer can use invasive procedures that you can't patch.

SQL injection  is a prime example of a command injection attack.

In this exploit, an attacker takes advantage of incorrectly filtered SQL queries and other input information to pull any information he wants from a database.

Without a victim knowing it, an attacker can simply write a line of code and let it piggyback on another, returning vast amounts of data to the hacker making the request.

That includes everything from Social Security numbers, to credit card information, to information about customer buying patterns or company products.

Also, if an attacker figures out how to manipulate code on the path between a Web server and a database, he could also take control of a user's PC. SQL injections can also be used to hijack password protected Web sites.

Unlike a general buffer overflow, there's no patching an exploit like this; the best thing an admin can do is shut down the network and rewrite the SQL code.

And, of course, that costs the company time and money.

"It is actually one of the more severe vulnerabilities," said Caleb Sima, CTO for Web security software maker SPI Dynamics.

"SQL injection is equal to, if not surpassing, buffer overflows in severity. It's been around for a long time, but most people haven't really paid attention to it because it's been specifically targeted to a Web site and is fairly complicated to do."

Such flaws are well documented in leading software products.

Microsoft plugged such a flaw in its BizTalk Server before perpetrators could leverage it for illicit gains.

Oracle is no stranger to SQL flaws either.

But attacks involving SQL injections are rarely reported as such because most companies whose computer networks fall prey to this flaw don't want to admit that their code is flawed and vulnerable to such attacks, said Gartner analyst John Pescatore.

"There have definitely been Gartner clients who said 'we had a problem, we brought somebody in and they said it looks like we had a SQL injection vulnerability,'" Pescatore said.

"But you don't read it in a newspaper because it's targeted."

Net-net, no one really knows how often SQL injections are used to plunder databases for information. The Web Application Security forum lists 15 incidents.

While the first SQL injection exploits stemmed from precise, well-crafted strings of code from careful computer crackers, Sima said tools now exist in the wild for perpetrators to automated SQL injections.

For example, with such a tool, a user could simply click a button and automatically extract table names and columns and basically replicate a company's entire database contents to a Web site.

Sima should know: SPI Dynamics created a SQL injection generator tool.

SQL Injector is designed to educate companies about how their Web sites are susceptible to the attack. Once a developer sees the error of his ways, he can then rewrite the code to make the site more secure.

That's what SPI hopes, anyway. SPI is in the business of detecting Web security attacks before they occur, and makes a product called WebInspect that identifies all of the problem areas where command injection flaws exist.

When it finds those vulnerabilities, WebInspect alerts admins and provides a report on how to fix them.

Other vendors have similar tools. Watchfire makes AppScan; McAfee  makes Foundstone; Fortify has Security Tester; and WhiteHat Security offers Sentinel, a service to pinpoint SQL injection flaws recommend fixes.

"People talk about phishing all the time but the real serious guys are doing SQL injection," Sima said. "It's easy, it's quick, and the types of data you get are amazing."