akamai’s [state of the internet] / security
Q1 2015 State of the Internet Security Report — Cruel (SQL) Intentions Selected excerpts
SQL injection (SQLi) is an attack method employed by malicious actors to exploit web applications. When an attacker locates vulnerability in an application, they are able to change the logic of the SQL statements executed against the database.
Although SQLi has been employed since the late ‘90s, it continues to top industry lists of web application security flaws and risks. Akamai’s Threat Research team developed a technique to categorize SQLi attacks through individual attack payload analysis and determination of intent behind each one. Over a seven-day study period, the team collected data from Akamai’s Kona Site Defender web application firewall, analyzing more than 8 million SQLi attacks targeting more than 2,000 customer web applications. While original SQLi methods are still in use, new techniques have evolved. Moreover, automated injection tools make it easy to complete complex steps in the process.
Through careful analysis, the team identified the goals of SQLi attacks. The first goal was SQLi probing and injection testing. This enables the attacker to assess the web application for vulnerability to SQLi. Part of this process includes locating all entry points and sending string sequences to sense whether the application is vulnerable. If an application is vulnerable to SQLi, the malicious actor’s next step is to learn the type and structure of the database and associated information. Once the attacker has a clear understanding of the type and structure of the database and its tables, remote data retrieval can proceed via techniques such as data extraction or blind SQLi.
Other attack types include login mechanism bypass and privilege escalation, business logic subversion, credential theft, and data corruption. Additionally, SQLi attacks can be used to generate Denial of Service (DoS) attacks that can overload and shut a database. SQLi attack types designed to deface websites might insert adversarial content that appears to users as legitimate web content. The Threat Research team’s analysis revealed that more than 96 percent of the ttacks were over clear HTTP vs. HTTPS (encrypted). Of the 11 SQLi attack types analyzed, three attack vectors were responsible for more than 98 percent of the detected attack attempts.
The most common attack type observed in the study period was SQLi probing and injection testing. These probing attempts produce a large volume of traffic, and accounted for nearly 60 percent of HTTP transactions during the study period.
akamai’s [state of the internet] / security
Credential theft was the second-most frequently observed attack type, representing more than 23 percent of the total attacks. Although this category is a subset of content retrieval, it is unique and large enough to merit its own focus.
Most targeted SQLi attacks require the malicious actor to probe the database environment and extract pertinent information. Not unexpectedly, more than 1 million of the malicious transactions (15.5 percent of the total) attempted to carry out such actions, making this attack type the third most common type observed.
Malicious actors utilize a variety of SQLi attack techniques to carry out many different tasks. Well beyond simple data exfiltration, these malicious queries have the potential to cause far more damage than a data breach. When generating threat models for your web applications, do not assume that data theft is the only target and risk of SQLi attacks. These attacks can imperil your business by elevating privileges, stealing, infecting or corrupting data, denying service, and more. Get the full Q1 2015 State of the Internet — Security Report with all the details
Each quarter Akamai produces a quarterly Internet security report. Download the Q1 2015 State of the Internet —Security Report for: • • • • • • • •
Analysis of DDoS and web application attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Attack frequency, size, types and sources Security implications of the transition to IPV6 Mitigating the risk of website defacement and domain hijacking DDoS techniques that maximize bandwidth, including booter/stresser sites Analysis of SQLI attacks as a persistent and emerging threat
The more you know about web security, the better you can protect your network against cybercrime. Download the free the Q1 2015 State of the Internet — Security Report at http://www.stateoftheinternet.com/security-reports today. About stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.