It has been very long when SQL injection was discovered and
hackers started injecting their malicious codes in databases using flaw of
improper validation.
From 2005, till today, this oldie has been responsible for
more than 80% of hacks and data breaches.
OWASP [Open Web Application Security Project] has ranked INJECTION
FLAWS at the top rank for last year, i.e. 2010. This simply demonstrates how
critical this attack is.
The worst part of this attack, SQL injection is, you can
find a big list of vulnerable sites by a using a little dose of google dorks.
As per Imperva CTO, Amichai Shulman, this has been the most
costly vulnerability till now. Famous breaches includes Heartland payment, Nokia,
sony, Lady gaga’s website.
�
1998—Rain Forest Puppy (RFP) discloses/discusses
the initial idea of SQL Injection in phrack Magazine (Volume 9, Issue 54).
�
2000—SQL Injection FAQ—Chip Andrews—uses the
first public usage of term “SQL Injection” in a paper.
�
2003—The idea of blind SQL Injection is
disclosed/discussed.
�
2006—Web application vulnerability disclosure
skyrockets in part due to SQL Injection.
�
2008—The Asprox botnet leverages SQL Injection
for mass drive by SQLi attacks to grow botnet (http://en.wikipedia.org/wiki/Asprox).
From at least April through August, a sweep of attacks began exploiting the SQL
Injection vulnerabilities of Microsoft’s IIS Web server and SQL Server database
server. The attack does not require guessing the name of a table or column, and
it corrupts all text columns in all tables in a single request. An HTML string
that references a malware JavaScript file is appended to each value. When that
database value is later displayed to a website visitor, the script attempts
several approaches at gaining control over a visitor’s system. The number of
exploited Web pages is estimated at 500,000.
�
On August 17, 2009, the U.S. Justice Department
charged an American citizen Albert Gonzalez and two unnamed Russians with the
theft of 130 million credit card numbers using a SQL Injection attack. In reportedly “the biggest case of identity
theft in American history,” the man stole cards from a number of corporate
victims after researching their payment processing systems. Among the companies
hit were credit card processor Heartland Payment Systems, convenience store
chain 7-Eleven, and supermarket chain Hannaford Brothers.
�
On February 5, 2011, HBGary, a technology
security firm, was broken into by Anonymous using a SQL Injection in their
CMS-driven website.
�
On April 11, 2011, Barracuda Networks was
compromised using a SQL Injection flaw. Email addresses and usernames of
employees were among the information obtained.
�
On June 1, 2011, “hacktivists” of the group
LulzSec were accused of using SQLi to steal coupons and to download keys and
passwords that were stored in plaintext on Sony’s website, accessing the personal
information of a million users.
�
In June 2011, Group Anonymous claims to have
hacked the NATO site, using a “simple SQL Injection.
As this can be seen the major attacks has been done using
SQL injection and hence some solid step needs to be taken off the mark.
To better deal with the problem, enterprises should:
�
Detect SQL injection attack using a combination
of application layer knowledge (application profile) and a preconfigured
database of attack vector formats.
�
Identify access patterns of automated tools. In
practice, SQLi attacks are mostly executed using automatic tools.
�
Create and deploy a black list of hosts that
initiated SQLi attacks. This measure increases the ability to quickly identify
and block attackers.Contact => www.facebook.com/ryan.manjothi
Posts
0 comments:
Post a Comment