Imperva, profile picture
Uploaded byImperva
PDF, PPTX1,522 views

SQL Injection - The Unknown Story

This document summarizes a webinar about SQL injection attacks. It discusses how SQL injection has remained the primary method of data theft from hacking. It provides statistics on the prevalence of SQL injection vulnerabilities and attacks. It then outlines the typical process attackers use, including using Google dorks to find vulnerable sites, scanning sites for vulnerabilities, and using automated tools like Havij and SQLmap to carry out attacks. The document concludes with recommendations for organizations on how to prevent SQL injection attacks, such as deploying web application firewalls, integrating vulnerability scanners, blocking known attacker systems, and fixing vulnerabilities.

Embed presentation

Download as PDF, PPTX
SQL Injection – The Unknown Story Rob Rachwald, Director of Security Strategy, Imperva Live Webinar - October 26, 2011
Agenda  SQL Injection: A Short Primer  SQL Injection Today + Attack Statistics + Attack Process + Attack Tools  Mitigation Checklist
Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva  Research + Directs security strategy + Works with the Imperva Application Defense Center  Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia  Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today  Graduated from University of California, Berkeley
SQL Injection Primer
Reason for Data Loss from Hacking: 2005-2011 Other 17% SQL injection 83% Total=315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse
Total Web Application Vulnerabilities # of websites (estimated: July 2011)* : 357,292,065 x # of vulnerabilities** : 230 1% 821,771,600 vulnerabilities in active circulation *Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html **Source: https://www.whitehatsec.com/home/resource/stats.
How Many SQL Injections? 821,771,600 vulnerabilities in active circulation What About SQL Injections?  10%? 82,177,160  20%? 164,354,320  30%? 246,531,480
SQL Injection Means Business, Literally
SQL Injection: Defined
SQL Injection: Technical Impact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware
SQL Injection: Business Impact Breach Date March 15, 2011 Breach Date January 19, 2009
SQL Injection Today: Attack Stats
Still a Very Relevant Attack  On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.
SQL Injections By the Hour
Majority of Attacks from Small Number of Hosts  41% of all SQLi attacks originated from just 10 hosts
SQL Injection Today: Attack Process
Hackers Increasingly Bypass Simple Defenses 1'/**/aND/**/'8'='3 1 DeClARe @x varchar(99) set @x=0x77616974666f722064656 c61792027303a303a323027 exec(@x)-- concat() and char() x' wAiTfOr dELay '0:0:20'--
Getting Started  Option 1a: Dorking + Intent: Find something generally vulnerable  Option 1b: General purpose scanner + Intent: Find something specifically vulnerable
Step 1a: Google Dorks
Step 1a: Google Dorks What is It? A google search term targeted at finding vulnerable websites. How Does It Work? An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are potentially vulnerable.
Dorking in Action
Automated Dorking (Desktop)
Carrying Out Attacks via Compromised Hosts
Dork Power: Queries Per Hour
Dork Power: Queries Per Day
Dorking in Action (Non SQL Example)
Dork Origins Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
Step 1b: Scanners  Choose the target site  Scan it with scanner to find vulnerabilities  Expand the vulnerability into full blown exploit
Step 1b: Automated Scanning, Service
Step 1b: Automated Scanning, Service
Step 3: Automated Attack Tools SQLmap Havij
Automated Tools  Havij/SQLmap pick up where scanner stops and exploit the application + Inserts sql statements + Will not scan full app, just specific areas. Makes a small hole really big + Fetches specific information, such as column data
SQLi Attack Vectors  Direct query manipulation  Discovering the database structure  Union Select SQL injection  Time-based blind SQL injection  Bypassing simple parameter sanitation
Step 4: Harvest
SQL Injection Today: Attack Tools
Main Automated Attack Tools SQLmap Havij
Attacks From Automated Tools
Mitigation Checklist
Step 1: Dork Yourself  Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers.  Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers.  Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
Step 2: Create and Deploy a Blacklist of Hosts that Initiated SQLi Attacks  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem
Step 3: Use a WAF to Detect/Block Attacks  Positives + Can block many attacks + Relatively easy + Can accelerate SDLC  Negatives + Can become a crutch + Potential for false positives
Step 4: WAF + Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability- scanners-should-communicate-with-application-firewalls/
Virtual Patching through Scanner Integration  Apply SecureSphere policies based on scan results  Monitor attempts to exploit known vulnerabilities  Fix and test vulnerabilities on your schedule Scanner finds vulnerabilities Customer Site SecureSphere imports Monitor and protect scan results Web applications
Step 5: Stop Automated Attack Tools  Positives + Detects automated tool fingerprints to block many attacks + Relatively easy  Negatives + Potential for false positives
Step 6: Code Fixing  Positives + Root cause fixed + Earlier is cheaper  Negatives + Expensive, time consuming + Never-ending process
Summary: The Anti-SQL Stack Dork Yourself Blacklist WAF WAF + VA Stop Automated Attacks Code Fixing
About Imperva
Our Story in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Recording ADC Research Link Report
www.imperva.com

More Related Content

PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PDF
Secure Coding for Java - An Introduction
bySebastien Gioria
 
PPTX
What? Why? Who? How? Of Application Security Testing
byTEST Huddle
 
PDF
Dev secops on the offense automating amazon web services account takeover
byPriyanka Aash
 
PDF
Web Application Penetration Testing - 101
byAndrea Hauser
 
PDF
Automated Detection of Session Fixation Vulnerabilities
byYuji Kosuga
 
PPTX
Introduction to Web Application Penetration Testing
byRana Khalil
 
PDF
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
Secure Coding for Java - An Introduction
bySebastien Gioria
 
What? Why? Who? How? Of Application Security Testing
byTEST Huddle
 
Dev secops on the offense automating amazon web services account takeover
byPriyanka Aash
 
Web Application Penetration Testing - 101
byAndrea Hauser
 
Automated Detection of Session Fixation Vulnerabilities
byYuji Kosuga
 
Introduction to Web Application Penetration Testing
byRana Khalil
 
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 

What's hot

PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
PPTX
Vulnerability Intelligence and Assessment with vulners.com
byAlexander Leonov
 
PPTX
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
byAlexander Leonov
 
PPTX
Web Application Penetration Testing Introduction
bygbud7
 
PPTX
Advanced SQL Injection
byJoe McCray
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PPTX
Splunk Enterprise for Information Security Hands-On Breakout Session
bySplunk
 
PDF
Web Application Security with PHP
byjikbal
 
PDF
Building a low cost hack lab
byJoe McCray
 
PPTX
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
byRana Khalil
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
PDF
How to find Zero day vulnerabilities
byMohammed A. Imran
 
PDF
Analyzing the Effectivess of Web Application Firewalls
byLarry Suto
 
PPTX
Wireless Pentesting: It's more than cracking WEP
byJoe McCray
 
PDF
Continuous Security Testing
byRay Lai
 
PPTX
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
PPTX
You Spent All That Money And Still Got Owned
byJoe McCray
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPTX
Big Bang Theory: The Evolution of Pentesting High Security Environments
byJoe McCray
 
PPTX
Cyber Security and Open Source
byPOSSCON
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
Vulnerability Intelligence and Assessment with vulners.com
byAlexander Leonov
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
byAlexander Leonov
 
Web Application Penetration Testing Introduction
bygbud7
 
Advanced SQL Injection
byJoe McCray
 
Owasp top 10 security threats
byVishal Kumar
 
Splunk Enterprise for Information Security Hands-On Breakout Session
bySplunk
 
Web Application Security with PHP
byjikbal
 
Building a low cost hack lab
byJoe McCray
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
byRana Khalil
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
How to find Zero day vulnerabilities
byMohammed A. Imran
 
Analyzing the Effectivess of Web Application Firewalls
byLarry Suto
 
Wireless Pentesting: It's more than cracking WEP
byJoe McCray
 
Continuous Security Testing
byRay Lai
 
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
You Spent All That Money And Still Got Owned
byJoe McCray
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
byJoe McCray
 
Cyber Security and Open Source
byPOSSCON
 

Viewers also liked

PPT
Sql injection
byPallavi Biswas
 
PDF
XSS Remediation
byDenim Group
 
PPT
Sql Injection Tutorial!
byralphmigcute
 
PPT
SQL Injection in PHP
byDave Ross
 
PDF
Neutralizing SQL Injection in PostgreSQL
byJuliano Atanazio
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
PPT
Blind SQL Injection - Optimization Techniques
byguest54de52
 
PDF
Sql Injection and XSS
byMike Crabb
 
PPT
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
PDF
Advanced SQL Injection: Attacks
byNuno Loureiro
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PPTX
Sql Injection and Entity Frameworks
byRich Helton
 
PPTX
Sql injection - security testing
byNapendra Singh
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PPT
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
byChema Alonso
 
PPT
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
PPTX
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
PPTX
SQL INJECTION
byAnoop T
 
PDF
Database security issues
byn|u - The Open Security Community
 
Sql injection
byPallavi Biswas
 
XSS Remediation
byDenim Group
 
Sql Injection Tutorial!
byralphmigcute
 
SQL Injection in PHP
byDave Ross
 
Neutralizing SQL Injection in PostgreSQL
byJuliano Atanazio
 
Defcon 17-joseph mccray-adv-sql_injection
byAhmed AbdelSatar
 
Blind SQL Injection - Optimization Techniques
byguest54de52
 
Sql Injection and XSS
byMike Crabb
 
Sql Injection Attacks Siddhesh
bySiddhesh Bhobe
 
Advanced SQL Injection: Attacks
byNuno Loureiro
 
Understanding and preventing sql injection attacks
byKevin Kline
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
Sql Injection and Entity Frameworks
byRich Helton
 
Sql injection - security testing
byNapendra Singh
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
byChema Alonso
 
Web application attacks using Sql injection and countermasures
byCade Zvavanjanja
 
Google Dorks and SQL Injection
byMudassir Hassan Khan
 
SQL INJECTION
byAnoop T
 
Database security issues
byn|u - The Open Security Community
 

Similar to SQL Injection - The Unknown Story

PDF
The State of Application Security: What Hackers Break
byImperva
 
PDF
The State of Application Security: What Hackers Break
byImperva
 
PDF
Lessons Learned From the Yahoo! Hack
byImperva
 
PDF
Cyber Vigilantes: Turning the Tables on Hackers
byImperva
 
PPTX
State of the information security nation
bySensePost
 
PDF
An Anatomy of a SQL Injection Attack
byImperva
 
PDF
Thy myth of hacking Oracle
byErmando
 
PPTX
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
PDF
Dan Guido SOURCE Boston 2011
bySource Conference
 
PDF
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
byImperva
 
PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PDF
Top 10 Database Threats
byImperva
 
PDF
Web Application Security Guide by Qualys 2011
bynat page
 
PDF
Qg was guide
bynat page
 
PDF
Oracle tech db-02-hacking-neum-15.04.2010
byOracle BH
 
PPTX
IBM Smarter Business 2012 - IBM Security: Threat landscape
byIBM Sverige
 
PPT
Security Lifecycle Management Process
byBill Ross
 
PDF
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
byImperva
 
PDF
How to Destroy a Database
byJohn Ashmead
 
PDF
Ab cs of software security
byDavid Klassen
 
The State of Application Security: What Hackers Break
byImperva
 
The State of Application Security: What Hackers Break
byImperva
 
Lessons Learned From the Yahoo! Hack
byImperva
 
Cyber Vigilantes: Turning the Tables on Hackers
byImperva
 
State of the information security nation
bySensePost
 
An Anatomy of a SQL Injection Attack
byImperva
 
Thy myth of hacking Oracle
byErmando
 
Cyberjutitsu101coleevertzfinal 1296250763392-phpapp02
byMark Evertz
 
Dan Guido SOURCE Boston 2011
bySource Conference
 
Automated Hacking Tools - Meet the New Rock Stars in the Cyber Underground
byImperva
 
Web hackingtools cf-summit2014
byColdFusionConference
 
Top 10 Database Threats
byImperva
 
Web Application Security Guide by Qualys 2011
bynat page
 
Qg was guide
bynat page
 
Oracle tech db-02-hacking-neum-15.04.2010
byOracle BH
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
byIBM Sverige
 
Security Lifecycle Management Process
byBill Ross
 
Unmasking Anonymous: An Eyewitness Account of a Hacktivist Attack
byImperva
 
How to Destroy a Database
byJohn Ashmead
 
Ab cs of software security
byDavid Klassen
 

More from Imperva

PPTX
Cybersecurity and Healthcare - HIMSS 2018 Survey
byImperva
 
PPTX
API Security Survey
byImperva
 
PPTX
Imperva ppt
byImperva
 
PPTX
Beyond takeover: stories from a hacked account
byImperva
 
PPTX
Research: From zero to phishing in 60 seconds
byImperva
 
PDF
Making Sense of Web Attacks: From Alerts to Narratives
byImperva
 
PDF
How We Blocked a 650Gb DDoS Attack Over Lunch
byImperva
 
PPTX
Survey: Insider Threats and Cyber Security
byImperva
 
PPTX
Companies Aware, but Not Prepared for GDPR
byImperva
 
PPTX
Rise of Ransomware
byImperva
 
PDF
7 Tips to Protect Your Data from Contractors and Privileged Vendors
byImperva
 
PDF
SEO Botnet Sophistication
byImperva
 
PDF
Phishing Made Easy
byImperva
 
PDF
Imperva 2017 Cyber Threat Defense Report
byImperva
 
PDF
Combat Payment Card Attacks with WAF and Threat Intelligence
byImperva
 
PDF
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
byImperva
 
PDF
Get Going With Your GDPR Plan
byImperva
 
PDF
Cyber Criminal's Path To Your Data
byImperva
 
PDF
Combat Today's Threats With A Single Platform For App and Data Security
byImperva
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
byImperva
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
byImperva
 
API Security Survey
byImperva
 
Imperva ppt
byImperva
 
Beyond takeover: stories from a hacked account
byImperva
 
Research: From zero to phishing in 60 seconds
byImperva
 
Making Sense of Web Attacks: From Alerts to Narratives
byImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
byImperva
 
Survey: Insider Threats and Cyber Security
byImperva
 
Companies Aware, but Not Prepared for GDPR
byImperva
 
Rise of Ransomware
byImperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
byImperva
 
SEO Botnet Sophistication
byImperva
 
Phishing Made Easy
byImperva
 
Imperva 2017 Cyber Threat Defense Report
byImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
byImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
byImperva
 
Get Going With Your GDPR Plan
byImperva
 
Cyber Criminal's Path To Your Data
byImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
byImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
byImperva
 

Recently uploaded

PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PDF
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
Agentic AI presentation with Python Exercises
byParth Mane
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 

SQL Injection - The Unknown Story

  • 1.
    SQL Injection –The Unknown Story Rob Rachwald, Director of Security Strategy, Imperva Live Webinar - October 26, 2011
  • 2.
    Agenda  SQL Injection:A Short Primer  SQL Injection Today + Attack Statistics + Attack Process + Attack Tools  Mitigation Checklist
  • 3.
    Today’s Presenter Rob Rachwald,Dir. of Security Strategy, Imperva  Research + Directs security strategy + Works with the Imperva Application Defense Center  Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia  Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today  Graduated from University of California, Berkeley
  • 4.
  • 5.
    Reason for DataLoss from Hacking: 2005-2011 Other 17% SQL injection 83% Total=315,424,147 records (856 breaches) Source: Privacy Rights Clearinghouse
  • 6.
    Total Web ApplicationVulnerabilities # of websites (estimated: July 2011)* : 357,292,065 x # of vulnerabilities** : 230 1% 821,771,600 vulnerabilities in active circulation *Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html **Source: https://www.whitehatsec.com/home/resource/stats.
  • 7.
    How Many SQLInjections? 821,771,600 vulnerabilities in active circulation What About SQL Injections?  10%? 82,177,160  20%? 164,354,320  30%? 246,531,480
  • 8.
    SQL Injection MeansBusiness, Literally
  • 9.
  • 10.
    SQL Injection: TechnicalImpact Retrieve sensitive data from the organization Steal the site’s administrator password Lead to the downloading of malware
  • 11.
    SQL Injection: BusinessImpact Breach Date March 15, 2011 Breach Date January 19, 2009
  • 12.
  • 13.
    Still a VeryRelevant Attack  On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.
  • 14.
  • 15.
    Majority of Attacksfrom Small Number of Hosts  41% of all SQLi attacks originated from just 10 hosts
  • 16.
    SQL Injection Today:Attack Process
  • 17.
    Hackers Increasingly BypassSimple Defenses 1'/**/aND/**/'8'='3 1 DeClARe @x varchar(99) set @x=0x77616974666f722064656 c61792027303a303a323027 exec(@x)-- concat() and char() x' wAiTfOr dELay '0:0:20'--
  • 18.
    Getting Started  Option1a: Dorking + Intent: Find something generally vulnerable  Option 1b: General purpose scanner + Intent: Find something specifically vulnerable
  • 19.
  • 20.
    Step 1a: GoogleDorks What is It? A google search term targeted at finding vulnerable websites. How Does It Work? An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are potentially vulnerable.
  • 21.
  • 22.
  • 23.
    Carrying Out Attacksvia Compromised Hosts
  • 24.
  • 25.
  • 26.
    Dorking in Action(Non SQL Example)
  • 27.
    Dork Origins Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2
  • 28.
    Step 1b: Scanners Choose the target site  Scan it with scanner to find vulnerabilities  Expand the vulnerability into full blown exploit
  • 29.
    Step 1b: AutomatedScanning, Service
  • 30.
    Step 1b: AutomatedScanning, Service
  • 31.
    Step 3: AutomatedAttack Tools SQLmap Havij
  • 32.
    Automated Tools  Havij/SQLmappick up where scanner stops and exploit the application + Inserts sql statements + Will not scan full app, just specific areas. Makes a small hole really big + Fetches specific information, such as column data
  • 33.
    SQLi Attack Vectors Direct query manipulation  Discovering the database structure  Union Select SQL injection  Time-based blind SQL injection  Bypassing simple parameter sanitation
  • 34.
  • 35.
  • 36.
    Main Automated AttackTools SQLmap Havij
  • 37.
  • 38.
  • 39.
    Step 1: DorkYourself  Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers.  Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers.  Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.
  • 40.
    Step 2: Createand Deploy a Blacklist of Hosts that Initiated SQLi Attacks  Positives + Blocks up to 40% of attack traffic + Easy  Negatives + Does not deal with the underlying problem
  • 41.
    Step 3: Usea WAF to Detect/Block Attacks  Positives + Can block many attacks + Relatively easy + Can accelerate SDLC  Negatives + Can become a crutch + Potential for false positives
  • 42.
    Step 4: WAF+ Vulnerability Scanner “Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls” —Neil MacDonald, Gartner Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability- scanners-should-communicate-with-application-firewalls/
  • 43.
    Virtual Patching throughScanner Integration  Apply SecureSphere policies based on scan results  Monitor attempts to exploit known vulnerabilities  Fix and test vulnerabilities on your schedule Scanner finds vulnerabilities Customer Site SecureSphere imports Monitor and protect scan results Web applications
  • 44.
    Step 5: StopAutomated Attack Tools  Positives + Detects automated tool fingerprints to block many attacks + Relatively easy  Negatives + Potential for false positives
  • 45.
    Step 6: CodeFixing  Positives + Root cause fixed + Earlier is cheaper  Negatives + Expensive, time consuming + Never-ending process
  • 46.
    Summary: The Anti-SQLStack Dork Yourself Blacklist WAF WAF + VA Stop Automated Attacks Code Fixing
  • 47.
  • 48.
    Our Story in60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  • 49.
    Webinar Materials GetLinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Recording ADC Research Link Report
  • 50.