They’re already one of the leading methods used by hackers, but SQL injection attacks may be about to get a whole lot scarier. Researcher Roberto Salgado, founder and CTO of security consultancy Websec, has discovered an approach to SQL injection that makes attacks more effective while also making them harder to discover, Dark Reading reported. Salgado will be presenting his full findings at the upcoming Black Hat USA conference in Las Vegas.
SQL injection flaws already top the list of the Open Web Application Security Project’s top 10 most critical web application security risks, and they remain among the most commonly targeted vulnerability types due to the relatively low level of resources required to carry them out, according to a previous Dark Reading article. They were one of the most frequently discussed topics on hacker forums in 2012, according to one study. Salgado’s findings may make SQL injection even more accessible.
Optimization and obfuscation
By playing around with the capabilities of SQL injections and looking for ways to make data extraction from a database faster, Salgado was able to find improvements over existing techniques, the security researcher told Dark Reading. His method can perform blind SQL injections 20 to 40 percent faster than the bisection method, currently the leading optimization technique. In his talk, he will show how to cut down the testing of parameters for single, double or no quotes to a single test, as well as other ways he has managed to reduce server requests.
Previous blind injection techniques could only extract one character at a time, for instance, while Salgado’s technique can pull much more information in a single request by reducing the number of characters it looks for. The result is not only a better optimized method, but one that is harder to detect.
“Having an optimized SQL injection can definitely help us because we’re doing a lot fewer requests to the server, which will get the data faster,” Salgado told Dark Reading. “It will use less bandwidth and be less of a burden on the server, which means we can get the data faster without alerting as many people or giving them enough time to react to the attack.”
Additionally, Salgado discovered that, in many cases, an attacker can easily bypass a firewall undetected by changing one character or adding one feature that exists in the database application but that the firewall or web application is not aware of. For instance, Oracle’s handling of the null byte, 00, treats the byte as harmless white space, which could lead some programs to ignore it and enable an attacker to get an injection past a firewall undetected.
Preventing SQL injection
Salgado told Dark Reading that he believes his method will be of great interest both to penetration testers and application developers. Given the simplicity of bypassing a firewall using this approach, Salgado hopes that software security professionals will recognize that a firewall alone is not adequate protection against SQL injection. Instead, he recommended using secure development practices such as code review to fix the underlying application flaws.
“I think what is really important to understand is that a firewall will not be the end goal – it won’t protect you against everything,” he told Dark Reading. “You should really have a security team look at your application, make sure that everything is secure, and then add the firewall as an extra step, just in case. A firewall will stop most script kiddies or amateurs, but they’re a joke to anyone with slightly more sophistication.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.