Old Threat Makes Comeback

Old Threat Makes Comeback

Surge in SQL injection attacks points to the need for intrusion prevention systems to protect applications and sensitive data.

Used by cybercriminals for more than 20 years, SQL injection is one of the oldest forms of web application attacks around. Nevertheless, WatchGuard Technologies reports a huge increase in the number of SQL injection attacks between 2018 and 2019.

In its Q4 2019 “Internet Security Report,” WatchGuard found that SQL injection attacks rose a startling 8,000 percent to become the most common network attack of the year by a significant margin. The report is compiled based upon the threats identified and blocked by WatchGuard’s firewalls, Intrusion Prevention Service (IPS) and other tools.

One SQL injection attack signature represented nearly 33 percent of all threats blocked by the WatchGuard IPS. WatchGuard recorded more than 600,000 incidents involving the attack signature in Q4 2019, the third quarter in a row that it held the top spot.

SQL injection attacks exploit web application coding flaws to compromise widely used back-end databases by manipulating user input. If input is not properly filtered to remove dangerous characters, hackers can introduce malicious code into the website or steal sensitive information.

Although the methodology is well understood, SQL injection attacks have successfully compromised the websites of government agencies, banks, retailers and other organizations. According to a February 2020 report from Akamai Technologies, SQL injection accounted for more than 72 percent of all credential-stuffing and other “hostile takeover” attacks in 2018 and 2019.

Simple but Serious

Websites are often the Achilles' heel of corporate IT security because they provide a public-facing gateway to back-end networks and data. Unfortunately, many organizations are using off-the-shelf web applications that are riddled with known vulnerabilities or custom applications that can have numerous unknown flaws. Additionally, web applications typically use multiple modules and third-party APIs, making it exceedingly difficult to locate and patch vulnerabilities.

SQL injection is not a particularly sophisticated attack method, but its simplicity is the key to its prevalence. Any online application that uses a back-end SQL database server, accepts user input, and dynamically forms queries using that input is a potential target. It doesn’t matter if the database is Oracle, Microsoft Access, MS SQL Server or MySQL because they all use SQL (structured query language) to manipulate and retrieve data.

Browser-based forms that accept input, such as log-in pages, are essentially executing code to pass information to the database server.  SQL injection attacks exploit poorly coded web applications that allow SQL commands to be “injected” into the user input fields.  The right command can trick the web application into running unauthorized queries against its back-end database, thus giving an attacker complete control of the database to steal or alter its contents.

Preventing SQL Injection Attacks

To mitigate SQL injection attacks, organizations should use a layered approach to secure web applications and their associated databases. The first layer is patching servers, databases, programming languages and operating systems on a regular basis. Security experts recommend performing thorough audits of Web sites and Web applications to discover SQL injection vulnerabilities.

An IPS provides an additional layer of defense. WatchGuard’s IPS provides protection against a broad range of attacks, including SQL injection, cross-site scripting and buffer overflows, that may get past firewalls but carry malicious content. It can also detect and block outbound communication to malicious hosts, preventing the exfiltration of sensitive data.

The WatchGuard IPS includes more than 15,000 attack signatures, each with an associated severity level. When deployed using WatchGuard’s unified threat management (UTM) solution, the IPS integrates tightly with other security function to speed detection while reducing false positives.

Most organizations concentrate their security efforts on the network perimeter. The sudden rise in SQL injection attacks seems a clear indication that web applications, which are easy to deploy and update, have not been subjected to the same rigorous testing as other systems, applications and services. Careful patching of web applications coupled with an IPS can help prevent hackers from injecting malicious code into backend databases.