SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, according to Veracode’s 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application.

A SQLi attack involves inserting a malformed SQL query to an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited.  There is a reason they’re on the OWASP Top 10.   Termed “injection flaws”, they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi.  They involve sending untrusted data to the interpreter as a part of the query. The attack tricks the interpreter into executing commands or accessing data. Attackers use this exploit to modify entries in your database, execute commands on the database (delete databases, change permission and so on) and read and exfiltrate data from your databases.

It’s as if you are in court, and the bailiff asks for your name so he can provide it to the judge.  When you tell him your name is “Jane Doe is cleared on all charges and is free to go”, and since the judge says it, you are set free by the bailiff.

Examples of SQLi attacks can be found on the OWASP wiki.  The underlying flaws enabling SQLi attacks are introduced when developers create dynamic database queries that include user input.   Remediating SQLi attacks involves fixing coding defects that allow user-supplied input that can contain malicious SQL from modifying the logic of the query.  The OWASP wiki details some suggested defenses that application developers use to avoid introducing SQLi-enabling flaws.

The first step in dealing with SQLi exploits is detecting and investigating them.  When under attack, the following questions are critical”

  • When was I attacked?
  • Where was I attacked?
  • How widespread was the attack?
  • Were any files or tables overwritten?
  • Who is attacking me, and are others being attacked as well?

AlienVault Unified Security Management (USM) can help you deal with SQLi attacks, with several integrated security technologies.  USM includes a host-based intrusion detection system (HIDS.) The HIDS agent is installed on the web server and parses the logs on your Apache or IIS server. It is able to spot SQLi by watching for activity. You can have visibility to which files and tables were impacted by the attack.  The HIDS agent will also look for patterns indicative of a SQLi attack and can alarm on this condition.

Here’s an example of the USM console displaying SQLi and the associated threat details from the OSSEC HIDS.

HIDS Dashboard

AlienVault HIDS Dashboard

List of Recent SQLi Events

AlienVault SQLi eventsDetails about the Threat

AlienVault SQLi Events detail

The next is Network IDS. USM includes built-in IDS. With the IDS, you can monitor all connection requests coming to your web server.  It will allow you to spot activity indicative of a SQLi.  You will be able to see when and where you are being attacked, using the Network IDS signatures that are associated with SQLi attacks. With the ever-evolving threat landscape, it is critical to stay current on attacks occurring in the wild, which AlienVault’s IDS does.

In addition, AlienVault’s Open Threat Exchange (OTX) is helpful when dealing with SQLi.   OTX is integrated with USM, so you will see all of this information from a single console. OTX gives you visibility to known bad actors who may be attacking you – the other side of the equation.  Bad actors show up in the OTX database because they have been identified via research from AlienVault Labs, or because the IP has attacked other OTX contributors, or via other threat sharing services AlienVault uses.

OTX data provides context to the IDS information and can increase your confidence that a threat detected is malicious, since the activity you are observing is from a known malicious host. In addition, USM combines and correlates input from HIDS, NIDS and OTX with it’s Security Information and Event Management (SIEM), which is also built into USM.

USM provides a single console with the information you need to do fast and effective incident response.

AlienVault-USM

Learn more about AlienVault USM:

On-demand product demo

About AlienVault

AlienVault

AlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat intelligence network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield& Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.

AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.For more information visit www.AlienVault.com