SQL Injection Attacks on the Rise
MessageLabs reports that the number of SQL injection attacks spiked sharply last month.
- By Stephen Swoyer
- August 13, 2008
According to security researcher MessageLabs, the number of SQL injection attacks
spiked sharply last month, helping account for a near doubling of the number
of malicious Web sites it identified and blocked each day. This amounts to a
record-high threat level, the security researcher said.
Why SQL injection attacks and why now?
"An emerging theme for threats [in July] seems to be new variations on
old attack methods," said Mark Sunner, chief security analyst for MessageLabs,
in a statement. "Following on from June, Web-based malware continues to
be a treacherous threat and organizations would be smart to build their Web
security defenses in preparation for what could be on the horizon."
If July was any indication, more SQL injection, cross-site scripting and other
familiar attacks could be on the horizon.
SQL injection vulnerabilities are the very stuff of low-hanging fruit. They're
almost certainly widespread, stemming as they do from design trade-offs, development
deadlines, functional requirements, a lack of imagination or developer indifference.
They're also easy to test for, security experts said, in part because of a
bevy of free, publicly available testing tools, including a plug-in for the
popular Firefox Web browser. Consequently, researchers said, the onus is on
development teams to proactively identify and patch SQL injection flaws before
attackers -- using, in some cases, the same tools -- beat them to it.
"The root cause is unvalidated input, which can lead to SQL injection,
among other things, including cross-site scripting, passive manipulation, and
other things," said a CISSP with a prominent consulting and services firm
who asked to remain anonymous. "The point is that there are tools out there
[such that] if you point them to a Web site, they will try [injecting SQL into]
every Web site they can find. There's even a Firefox extension."
That's part of the rub, according to this CISSP. "This is just one of
several tools designed for site designers to scan their own Web sites. But that's
part of the problem: It's freely available and anyone can use it -- the bad
guys can use it just as easily as the developers themselves."
How does a SQL injection vulnerability become a reality? This CISSP -- who,
in a former career, logged almost a decade as a software engineer -- said it's
a question of dueling pressures. "Developers are under pressure to release
software that fulfills functional requirements. Security requirements are generally
not part of functional requirements. The No. 1 rule is to release the software
that does its job by this date. If you can't do anything else, do that,"
he said. "The way we'd like to see development going is you'd like to have
a security guy involved from the beginning. You'd like to have developers knowing
or caring enough, or having time [enough], to test these things themselves."
Not that attackers are foregoing innovation altogether, of course. According
to MessageLabs, spammers are ceaselessly innovative. They'd previously exploited
Google's hosted applications (i.e., Google Docs, Google Pages and Google Calendar)
to disseminate spam, for example. Last month, spammers were targeting Google's
"Sites" feature, which lets them build URLs (derived from Web pages
consisting of random letters and numbers) that are more difficult to block using
conventional anti-spam tools.
"Google Sites is yet another way that spammers have programmatically defeated
CAPTCHA [Completely Automated Public Turing Test to Tell Computers and Humans
Apart] mechanisms, a validation technique that is designed to defend against
automated sign-up tools frequently used by spammers by requiring the user to
enter a string of letters," Sunner said. "While Google Sites spam
accounts for only 1 percent of all spam currently, we anticipate that this technique's
popularity will rival that of its predecessors, Google Docs, Calendar and Pages
spam. If this is the case, then we may see spam levels increase in the months
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.