SQLi has long been unsolved, but has that finally changed?

SQL injection (SQLi) attacks have remained unsolved for more than 15 years, but that could be about to change

This article can also be found in the Premium Editorial Download: Computer Weekly: Software testing and code quality

The Open Web Application Security Project (Owasp) continues to rank SQL injection attacks at the top of its 10 most critical web application risks.

But what is an SQL injection (SQLi) attack, why are they important, and why have they remained unsolved more than 15 years since they first appeared – and has that changed?

Most simply stated, an SQL injection is the malicious modification of Structured Query Language (SQL) statements, by adding (injecting) SQL syntax, to compromise a database.

SQL is the language and protocol used by application servers to communicate with database servers to perform tasks such as user authentication.

Attacks are commonly conducted through web forms, URLs and cookies.

SQLi attacks a big threat to database records

A simple example of SQLi attack is putting an SQL command into the password field of a web form to display all records.

Because computers tend to do what they are told, a database would execute the command if it were received.

Why are SQLi attacks important to stop?

An SQL injection is the malicious modification of SQL statements, by adding SQL syntax, to compromise a database

Research has shown that this is an extremely common attack method and in the past 10 years SQLi has been linked to 90% of database records stolen.

A single SQLi attack can result in the loss or destruction of a database of confidential records, a fact not easily dismissed.

If the threat is so great, and has been around for more than 15 years, why has it remained unsolved for so long?

According to database security firm DB Networks, the answer lies in the fact that all attempts to deal with SQLi attacks have been network perimeter-based and relied on using signatures and black listing.

But both these techniques require time-consuming and error-prone manual updating, and are not effective against database hackers who obfuscate their SQLi using advanced evasion techniques (AETs).

Also, most organisations rely on third-party web application frameworks such as Ruby on Rails, which has recently been shown to have had an SQLi vulnerability for the past 11 years.

The most sophisticated SQLi attacks, however, are conducted using malware placed on the application server where the SQL is generated. This exploits the trusted relationship between the application server and the database, bypassing all basic input validation on a website.

Can behavioural analysis succeed where perimeter defences have failed?

For these reasons, DB Networks has pioneered the use of behavioural analysis to identify rogue SQL statements.

In October 2013, after a year of lab and field testing, the company released its IDS-6300 Core Intrusion Detection System based on the firm’s patented behavioural analysis technology for SQLi detection.

The technology models how every application in an organisation constructs SQL by analysing several elements such as syntax, which enables it to detect any deviations from normal operations.

Why do signature-based defence systems not work?

Assuming the targeted web interface is coded perfectly, there should not be any danger of SQLi. But attackers typically use obfuscation to hide what they are doing.

More on SQLi from the Computer Weekly Security Think Tank

  • Several factors feed SQLi attacks
  • Best practice to target SQLi
  • No quick fix to SQLi attacks
  • SQLi is basically a process problem
  • SQLi attacks fly under security testing radar
  • Quick time to market to blame for many SQLi attacks
  • Development and testing key to reducing SQLi attacks

Obfuscation bypasses signature-based web application firewalls (WAFs) by concealing the attack so that it does not match a signature, said Brett Helm, chairman and chief executive at DB Networks.

A famous example, he said, is entering a legitimate user name, but in the password field, entering an incorrect password followed by “or 1=1”, the computer identifies the password is incorrect, but 1 does equal 1, so it will allow access to the database.

“Today, there are all sorts of things in WAFs on the perimeter that protect against '1=1', but if you were to put ‘or 2=2', you will still bypass the perimeter security,” said Helm, adding that there is an infinite number of permutations that could be used.

In addition to any number being equal to itself, other mathematical statements could be used, such as 2>1 or 1<17 and so on, but this is just one example of about nine different obfuscation techniques attackers commonly use to bypass perimeter defences against SQLi, he said.

Many of these are enabled by easy-to-use automation tools such as Hackvertor and Malzilla, which would be among the thousands of results for any internet search for “WAF bypass”, according to Helm.

“Anyone can use these tools to get past any perimeter-based defence system in use today,” he said. This is one of the main reasons SQLi attacks continue to be a significant problem.

For this reason, DB Networks has aligned itself with the new trends in security of using behavioural analysis and of being application aware and application visible.

Protecting data within the perimeter

“Businesses are beginning to focus on the security of data rather than simply building higher walls at the network perimeter,” said Helm.

A behavioural analysis-based approach provides protection against persistent attackers, zero-day threats, and advanced SQLi attacks

Brett Helm, DB Networks

Just as McAfee is applying behavioural analysis and Palo Alto Networks is applying application visibility at the network firewall, and FireEye is applying behavioural analytics and RSA’s Silvertail is applying predictive analytics at the WAF and web application server, DB Networks is applying behavioural analysis at the database tier.

“We are physically between the application servers and the database, not at the perimeter where just about everything else is,” said Helm.

DB Networks claims it is the first to develop an appliance, virtual or physical, that sits between the application server and the database that is content-aware, context-aware> and protocol-aware, and provides continuous monitoring and protection against attackers that get past perimeter-based defences.

“A behavioural analysis-based approach provides protection against persistent attackers, zero-day threats, and advanced SQLi attacks,” said Helm.

The system is also designed to spot any undocumented and non-compliant databases, and identify any coding flaws in the SQL statement generation portion of applications.

Why does DB Networks believe this is an effective way to prevent SQLi?

Identifying attacks and taking action against them

Helm cites the behavioural analysis, non-perimeter-based approach, which has been validated in trials such as one at a top medical website.

Despite the fact that the medical site had been payment card industry data security standard (PCI DSS) compliant, it had been breached in 2012, leading to the compromise of 10,000 user names and passwords.

Read more on SQL injection

Consequences included the loss of PCI DSS certification, embarrassment, and damage to reputation.

“The site was previously protected by a WAF, which was producing so many false positives they could not tell which were indicative of real attacks,” said Helm.

The technology from DB Networks was able to identify 600 SQL injections that had reached the database and identify the specific lines of code that needed to be fixed.

“The website is still coming under attack, but they are now able to take immediate action,” said Helm, adding that field experience is proving high accuracy in detecting advanced SQL injection attacks.

But is the technology affordable by all organisations with a web presence?

Helm admits that initially IDS-6300 product is aimed at government and financial institutions because that is where SQLi attacks have the most devastating effect.

In the longer term, however, DB Networks plans a much lighter version that will be designed to meet the needs and budgets of smaller organisations and could potentially be bundled with popular database software.

If DB Networks is correct, SQLi should finally drop down and out of the Owasp rankings> as the technology is more widely adopted.

Read more on Web application security