SQL injection exploits may soon be as common as those targeting Windows and Unix flaws, experts say. An estimated 60% of Web applications that use dynamic content are likely vulnerable, with devastating consequences for an enterprise. A presentation of an automated attack targeting SQL injection flaws is planned for Black Hat Briefings this week in Las Vegas. This conclusion of a two-part interview with SPI Dynamics CTO Caleb Sima tells what you should fear, why and what you can do to mitigate your risk.
Security Wire Perspectives: You have compared the future of SQL injection attacks to the current scope of Linux and Windows flaws. How easy would it be to develop some sort of automated exploit for this?
Caleb Sima, CTO, SPI Dynamics: Today, an attacker has to be somewhat knowledgeable not only about Web application security, but also about SQL injection to exploit someone's site and grab information. It's a very manual task that takes some pretty good intelligence gathering to accomplish. But SQL injection can be automated and it's technology that's moving forward. In fact, at Black Hat there is going to be a talk on the automation of SQL injection. I think it's the first of its kind. This technology being publicly released by some black hat will give script-kiddies the ability to pick up a freeware tool, point it at a Web site and automatically download a database without any knowledge whatsoever.
I think that makes things a lot more critical and severe. The automation of SQL injection gives rise to the possibility of a SQL injection worm, which is very possible. In fact, I am surprised this hasn't occurred yet.
SWP: So it wouldn't be all that difficult to create a SQL injection worm?
SIMA: People think SQL injection flaws are unique to their application; that they're all different and there's no way a worm could be used to do SQL injection. That's where they are wrong. Google hacking can be used to find vulnerable Web sites and narrow down target sites. These results can be used as the basis for a worm.
After identifying a vulnerable site, a payload or a worm is uploaded onto the SQL infected site. From that point, the server then goes out to Google and identifies the next vulnerable site using SQL injection, which is very easy to do. Then he infects the next machine, then that machine goes back to Google and identifies that next vulnerable machine and so on and so on. So even something as unique as SQL injection paired with Google and automated SQL injection capabilities can be used to automate a worm that propagates extremely quickly.
What makes this more dangerous than other worms that have come out is that the others have been based upon a single flaw -- flaws that could be fixed with patches. With SQL injection, you can't install a patch. It's an implementation flaw that applies to Microsoft servers, to Apache servers, to PHP code and to ASP code. Source code must be examined and fixed, which isn't a simple thing to do.
To determine whether your site is vulnerable to SQL injection, read the steps available online.
SWP: You seem surprised we haven't seen any SQL injection worms yet. What kind of timeframe are we looking at?
SIMA: I believe someone out there probably already has one; someone who is smart enough to use this type of technology for financial gain or some other purpose. His type of SQL injection worm is probably already being used quietly to gain information in a way that isn't being detected.
I can't predict when the next one will come out. I will tell you that this knowledge and this idea will propagate quickly. Then it's all up to whoever decides to sit down and release one.