In-Depth

SQL Injection Attacks on the Rise

SQL injection vulnerabilities are easy -- and cheap -- to test for, regardless of whether you're a good guy or a malicious hacker

• By Stephen Swoyer
• 08/12/2008

Some things seem inescapable -- like death, taxes, and SQL injection attacks.

According to security researcher MessageLabs, the number of SQL injection attacks spiked sharply last month, helping account for a near doubling of the number of malicious Web sites it identified and blocked each day. This amounts to a record-high threat level, the security researcher says.

Why SQL injection attacks and why now?

"An emerging theme for threats [in July] seems to be new variations onold attack methods," said Mark Sunner, chief security analyst for MessageLabs, in a statement. "Following on from June, Web-based malware continues to be a treacherous threat and organizations would be smart to build their Web security defenses in preparation for what could be on the horizon."

If July was any indication, more SQL injection, cross-site scripting, and other old familiar attacks could be on the horizon. SQL injection vulnerabilities are the very stuff of low-hanging fruit: they're almost certainly widespread -- stemming as they do from design trade-offs, development deadlines, functional requirements, a lack of imagination, or developer indifference.

They're also easy to test for, security experts say, in part because of a bevy of free, publicly-available testing tools -- including a plug-in for the popular Firefox Web browser. Consequently, researchers say, the onus is on development teams to proactively identify and patch SQL injection flaws before attackers -- using, in some cases, the same tools -- beat them to it.

"The root cause is unvalidated input, which can lead to SQL injection, among other things, including cross-site scripting, passive manipulation, and other things," says a CISSP with a prominent consulting and services firm who asked to remain anonymous.

"The point is that there are tools out there [such that] if you point them to a Web site, they will try [injecting SQL into] every Web site they can find. There's even a Firefox extension," he continues. That's part of the rub, according to this CISSP. "This is just one of several tools designed for site designers to scan their own Web sites. But that's part of the problem: it's freely available and anyone can use it -- the bad guys can use it just as easily as the developers themselves."

How does a SQL injection vulnerability become a reality? This CISSP -- who (in a former career) logged almost a decade as a software engineer -- says it's a question of dueling pressures. "Developers are under pressure to release software that fulfills functional requirements. Security requirements are generally not part of functional requirements. The number one rule is to release the software that does its job by this date. If you can't do anything else, do that," he explains.

"The way we'd like to see development going is you'd like to have a security guy involved from the beginning. You'd like to have developers knowing or caring enough, or having time [enough], to test these things themselves."

Not that attackers are foregoing innovation altogether, of course. According to MessageLabs, spammers are ceaselessly innovative: they'd previously exploited Google Inc.'s hosted applications (i.e., Google Docs, Google Pages, and Google Calendar) to disseminate spam, for example. Last month, spammers were targeting Google's "Sites" feature, which lets them build URLs (derived from Web pages consisting of random letters and numbers) that are more difficult to block using conventional anti-spam tools.

"Google Sites is yet another way that spammers have programmaticallydefeated CAPTCHA [Completely Automated Public Turing Test to TellComputers and Humans Apart] mechanisms, a validation technique that isdesigned to defend against automated sign-up tools frequently used byspammers by requiring the user to enter a string of letters," Sunner said.

"While Google Sites spam accounts for only one percent of all spam currently, we anticipate that this technique's popularity will rival that of its predecessors, Google Docs, Calendar, and Pages spam. If this is the case, then we may see spam levels increase in the months ahead."