News

SQL Injection Attacks on the Rise

MessageLabs reports that the number of SQL injection attacks spiked sharply last month.

• By Stephen Swoyer
• August 13, 2008

Why SQL injection attacks and why now?

"An emerging theme for threats [in July] seems to be new variations on old attack methods," said Mark Sunner, chief security analyst for MessageLabs, in a statement. "Following on from June, Web-based malware continues to be a treacherous threat and organizations would be smart to build their Web security defenses in preparation for what could be on the horizon."

If July was any indication, more SQL injection, cross-site scripting and other familiar attacks could be on the horizon.

SQL injection vulnerabilities are the very stuff of low-hanging fruit. They're almost certainly widespread, stemming as they do from design trade-offs, development deadlines, functional requirements, a lack of imagination or developer indifference.

They're also easy to test for, security experts said, in part because of a bevy of free, publicly available testing tools, including a plug-in for the popular Firefox Web browser. Consequently, researchers said, the onus is on development teams to proactively identify and patch SQL injection flaws before attackers -- using, in some cases, the same tools -- beat them to it.

"The root cause is unvalidated input, which can lead to SQL injection, among other things, including cross-site scripting, passive manipulation, and other things," said a CISSP with a prominent consulting and services firm who asked to remain anonymous. "The point is that there are tools out there [such that] if you point them to a Web site, they will try [injecting SQL into] every Web site they can find. There's even a Firefox extension."

That's part of the rub, according to this CISSP. "This is just one of several tools designed for site designers to scan their own Web sites. But that's part of the problem: It's freely available and anyone can use it -- the bad guys can use it just as easily as the developers themselves."

How does a SQL injection vulnerability become a reality? This CISSP -- who, in a former career, logged almost a decade as a software engineer -- said it's a question of dueling pressures. "Developers are under pressure to release software that fulfills functional requirements. Security requirements are generally not part of functional requirements. The No. 1 rule is to release the software that does its job by this date. If you can't do anything else, do that," he said. "The way we'd like to see development going is you'd like to have a security guy involved from the beginning. You'd like to have developers knowing or caring enough, or having time [enough], to test these things themselves."

Not that attackers are foregoing innovation altogether, of course. According to MessageLabs, spammers are ceaselessly innovative. They'd previously exploited Google's hosted applications (i.e., Google Docs, Google Pages and Google Calendar) to disseminate spam, for example. Last month, spammers were targeting Google's "Sites" feature, which lets them build URLs (derived from Web pages consisting of random letters and numbers) that are more difficult to block using conventional anti-spam tools.

"Google Sites is yet another way that spammers have programmatically defeated CAPTCHA [Completely Automated Public Turing Test to Tell Computers and Humans Apart] mechanisms, a validation technique that is designed to defend against automated sign-up tools frequently used by spammers by requiring the user to enter a string of letters," Sunner said. "While Google Sites spam accounts for only 1 percent of all spam currently, we anticipate that this technique's popularity will rival that of its predecessors, Google Docs, Calendar and Pages spam. If this is the case, then we may see spam levels increase in the months ahead."