Akamai Diversity

The Akamai Blog

Q1 2015 SOTI Preview: Cruel (SQL) Intentions

The Q1 2015 State of the Internet - Security Report is due out next month, and we spent much of last week's RSA Conference 2015 previewing sections. We continue doing so today.

Last week we reviewed the significance of a 100 GBPS attack, the continuing trend of website defacements and DNS Hijacking, and the potential security risks of widespread IPv6 adoption. Today, we look at an analysis of SQL injection attacks based on data from Akamai's Kona Site Defender web application firewall (WAF).

Akamai's Threat Research team set out to review individual attack payloads and determine the intention behind each one. The team analyzed SQL injection attacks based on data from Akamai's Kona Site Defender web application firewall (WAF).

For this analysis, we reviewed 8,425,489 SQL injection attacks that targeted more than 2,000 unique Akamai customer web applications, during a period of seven days.

4.1 / SQL Injection Attack Types / While the original SQL injection exploitation techniques - which attempt to retrieve data from a backend database - are still being used, new exploitation methods evolved. In addition, automated injection tools were developed in order to streamline and simplify some of the more complex methods.

4.1A /SQL Injection Probing and Injection Testing/ As a first step, malicious actors typically perform an assessment of the web application to determine if it is vulnerable to SQL injection. As a part of the process, the actor will traverse the application, locate all entry points and send certain string sequences to sense whether the application is vulnerable.

4.1B / Environment Probing and Reconnaissance / After the malicious actor concludes that the application is vulnerable to SQL injection, he/she will take the attack a step further, by trying to learn the type and structure of the database, its tables, columns, users and permissions.

4.1C / Database Content Retrieval / Once the actor has a clear understand of the type and structure of the database and its tables, he/she can start retrieving contents remotely via techniques such as data extraction using UNION SELECT statements, or by using blind SQL injection techniques (using Boolean expressions).

4.1D / Login Mechanism Bypass and Privilege Escalation / Today, the majority of web application login mechanisms use a back-end SQL query to check whether the given credentials are correct, and if the user is allowed to log into the application. This provides malicious actors with a simple, yet extremely effective method to bypass login mechanisms by using SQL injection attacks.

A common and classic payload would be to send the payload ' OR 1=1 as the user name. In cases where the actors knows the user name of the administrator (e.g. admin), he/she could attempt to elevate privileges by logging in with the user name: admin or 1=1--.

If the application uses that input to complete a query such as:

SELECT * FROM user_tbl WHERE user_name='$_POST{username}' AND password='$_POST{password}'

then the final constructed query will be:
SELECT * FROM user_tbl WHERE user_name='admin' or 1=1--' AND password=''.

This query allowed the adversary to modify the syntactic structure of the application's intended query so that it always returns the row for the administrator user, whether or not the adversary knows the administrator's password.

4.1E / Business Logic Subversion / Web application functions that rely on backend SQL queries to fetch data could be subverted to perform unexpected actions, such as presenting data that was not supposed to be visible.

To read the full story, pre-register for your copy of the Q1 2015 State of the Internet - Security Report.