[Q1 2015] Cruel (SQL) Intentions
akamai.com
= SQLi attacks: case study
• Technique used to exploit web applications • Attackers change the logic of SQL statements executed against a database • Although not new, SQL injection (SQLi) attacks continue to pose cloud security risks –
Attackers may use the original or more evolved SQLi exploitation methods
• Automated injection tools streamline and simplify the process
2 / [The State of the Internet] / Security (Q1 2015)
= SQLi attack categorization
• Akamai’s Threat Research team developed a technique to categorize SQLi attacks • This technique involved analyzing individual attack payloads and determining intent behind each one • The data included more than 8 million SQLi attacks targeting more than 2,000 unique web applications over a period of seven days
3 / [The State of the Internet] / Security (Q1 2015)
= SQLi attack types
• Malicious actors typically assess a web application for vulnerability to SQLi • The database structure is probed so that the attacker can retrieve contents remotely • The login mechanism is bypassed, allowing the attacker to escalate privileges •
A common and classic payload would be to send the payload ‘ OR 1=1 as the user name, then attempting to escalate privileges by logging in with user name admin or 1=1--.
4 / [The State of the Internet] / Security (Q1 2015)
= SQLi attack types (continued)
Other SQLi attack types can include • Credential theft • Data and file exfiltration • Denial of Service (DoS) • Data corruption • Malicious file upload • Website defacement and malicious content injection • Remote command execution
5 / [The State of the Internet] / Security (Q1 2015)
= SQLi probing and testing
The most common SQLi attack over the seven-day study period was SQLi probing and injection testing. • As a first step, malicious actors will assess all entry points of a web application in search for a vulnerability • The attacker will send a wide range of characters with syntactic meaning in SQL as well as blind-injection related Boolean sequences or timed queries • These queries naturally results in large volumes of traffic –
Nearly 60 percent of HTTP transactions are attributable to these probing attempts
7 / [The State of the Internet] / Security (Q1 2015)
= summary
•
Malicious actors use a variety of SQLi techniques to perform different tasks
•
These attacks can extend well beyond simple data exfiltration, and have the potential to cause more damage than a data breach
•
It is not safe to assume that SQLi attacks lead only to data theft
•
Privilege escalation, command execution, data infection or corruption, and denial of service are among the many ways these attacks can harm your business
8 / [The State of the Internet] / Security (Q1 2015)
= Q1 2015 State of the Internet –Security Report
Download the Q1 2015 State of the Internet Security Report • The Q1 2015 report covers: –
Analysis of DDoS and web application attack trends
–
Bandwidth (Gbps) and volume (Mpps) statistics
–
Year-over-year and quarter-by-quarter analysis
–
Attack frequency, size, types and sources
–
Security implications of the transition to IPv6
–
Mitigating the risk of website defacement and domain hijacking
–
DDoS techniques that maximize bandwidth, including booter/stresser sites
–
Analysis of SQL injection attacks as a persistent and emerging threat
9 / [The State of the Internet] / Security (Q1 2015)
= about stateoftheinternet.com
•
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [The State of the Internet] / Security (Q1 2015)