The prevalence and intensity of SQL injection attacks are increasing, according to Imperva's Hacker Intelligence Initiative (HII) report.
The report details how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
"SQL injection is probably the most costly vulnerability in the history of software," said Amichai Shulman, chief technology officer at Imperva.
"This exploit is used to great effect by the hacking community since it is the primary way to steal sensitive data from web applications, [yet it] remains one of the least understood," he said.
Well-known breaches, including Sony, Nokia and Heartland Payment Systems, involved the use of SQL injection to break in to the application's back-end database. Hacktivist group LulzSec made SQLi a key part of its arsenal.
High level of successful attacks
According to Privacyrights.org, SQL injection is responsible for 83% of successful hacking-related data breaches since 2005.
Imperva estimates that there are around 115 million SQL injection vulnerabilities in circulation. By monitoring a set of 30 web applications in the past last nine months, Imperva found that SQL injection continues to be a very relevant attack.
Since July, the observed web applications suffered on average 71 SQLi attempts an hour. Specific applications were occasionally under aggressive attacks and, at their peak, were attacked 800-1,300 times an hour.
The study found that attackers are increasingly bypassing simple defences. Hackers are using new SQLi attack variants which allow the evasion of simple signature-based defence mechanisms.
Hackers are using readily available automated hacking tools. While the attack techniques are constantly evolving, carrying out the attack does not necessarily require any particular hacking knowledge. Common attack tools include Sqlmap and Havij.
Attackers typically use compromised machines to disguise their identity as well as increase their attack power via automation. To automate the process of attack, attackers use a distributed network of compromised hosts. These "zombies" are used in an interchangeable manner to defeat black-listing defence mechanisms.
The study revealed that about 41% of all SQLi attacks originated from just 10 hosts, conforming to the pattern of a small number of sources being responsible for a majority of attacks.
Detect SQL injection attacks
To better deal with the problem, Imperva said enterprises should detect SQL injection attack using a combination of application layer knowledge (application profile) and a preconfigured database of attack vector formats. The detection engine must normalise the inspected input to avoid evasion attempts.
It is also important to identify access patterns of automated tools because SQLi attacks are mostly executed using automatic tools. Various mechanisms exist to detect usage of automatic clients, like rate-based policies and enforcement of valid client response to challenges.
Finally, enterprises should create and deploy a black list of hosts that initiated SQLi attacks. This measure increases the ability to quickly identify and block attackers. Because the active period of host initiating SQLi is short, it is important to constantly update the list from various sources.