What is the top threat to web applications today? According to the Open Web Application Security Project (OWASP), it’s SQL injection. The problem is so pervasive that it has topped the OWASP Top 10 list of software security issues for several years in a row, and for good reason. Hundreds of millions of database records have been stolen using SQL injection techniques.
Attacks of this nature can be launched very easily, and there are so many websites that are vulnerable to them. Attackers often use Google dorks or botnets to locate vulnerable websites with poor defenses, and there are numerous tools available to construct attacks. Consequently, attacks utilizing SQL injection are on the rise.
Recently, an abject example of a SQL injection attempt was easily viewable on the troubled healthcare.gov website. When a semi colon was typed into the search box the auto complete function revealed frequent attempts by visitors to exploit SQL injection. After a flurry of Tweets within the security community the auto complete was fixed.
Web application firewalls (WAF) have been one of the more popular technologies deployed for SQL injection defense. However, they have some limitations. For one thing, they tend to sit at the perimeter in front of web and application servers and they inspect HTTP traffic. If anything gets past these firewalls, it is assumed to be OK to pass on through to the web and app servers and eventually to the backend database. Unfortunately, there are plenty of readily available tools that practically anyone can use to simply overload or bypass these types of firewalls. One penetration testing company advertises that it takes, on average, only an hour to hack a WAF.
DB Networks is taking a different tactic to combat SQL injection attacks. The company has just announced its next-generation core IDS. What does that phrase means?
“Next-generation” according to DB Networks means that the solution uses behavioral analysis instead of signatures to detect attacks. “Core” refers to where the device sits: between the web or app server and the backend database. This is not a perimeter device. “IDS” of course stands for intrusion detection system, but DB Networks said it focused this device to detect one type of intrusion and that is malicious SQL code. It doesn’t need to be scrutinizing HTTP or other protocols because the communication between the web/app server and the database is strictly SQL.
This next-gen core IDS is not inline between the web/app server and the database. Instead it is passively attached, connecting with a tap or a span port. The product today handles the two most dominant databases – Oracle and Microsoft SQL Server – and the vendor said it intends to add more databases over time.
The solution uses a multi-modal detector to scrutinize the SQL code going into the database. There are at least five dimensions to the way the code is analyzed, and some dimensions are more complex than others. For example, the IDS looks at the incoming statement and compares it to a series of models it has built up during a learning phase. The IDS asks, is it likely that this incoming statement is an external attack or just a variation of the legitimate application? Have I seen this code before? Does it match patterns that are typically involved in an attack?
The IDS uses numerous algorithms and techniques to discern if the code is likely to be an attack or not. Steve Hunt, president and COO of DB Networks, claims the IDS is highly accurate and produces very few false positives. “We look at statements from a syntax perspective and we try to understand the meaning of the statement,” says Hunt. “We have a parser that understands the meaning of SQL statements. We ask if new statements are consistent with the normal variations the application has expressed in the past from a syntactical viewpoint. If it is, then it is most likely a variation that has come from the application, but if it is varying in a different way, then it is less likely to have come from inside the application.”
When the DB Networks IDS comes across a SQL statement that it considers malicious or even suspicious, the device sends the incident to the company’s regular security systems (such as a SIEM), Hunt said. The alert includes information about the suspicious statement, including the content and the context and how it was done.
“Because we don’t send out false alarms – they are very rare – it turns out that when we send out an alarm, they act on it very quickly,” said DB Networks CEO Brett Helm. “When it hits the SIEM and they know it came from our system, they know it’s real. Also customers don’t want us taking any action on our own—at least not right now. We could shut down the connection but if we did, that could potentially have bad effects upstream. So our customers have consistent policies on how they want attacks to be remediated. One company makes their database read-only until they get a handle on what is going on with the attack.”
Helm described some of the product features that his company considers to be unique. “We discover databases on the fly so you don’t have to do anything. We have installed our product before and the customer has said, ‘We have about 15 databases.’ All of a sudden 57 databases show up and it is a surprise to them. We find what we see on the wire. Hackers sometimes install and spin up a database in a virtual environment, so they can spin up a VM and a database in your network and you would never know it. Once an attacker is inside it is hard to detect him, and he can move from one database to another with impunity. But we can see all of this activity.”
Another key feature, Helm said, is the ability to identify flaws in the legitimate SQL statements that are generated by the application. Helm said this allows a developer to see exactly where he needs to fix the flawed code to improve the performance and behavior of the application.
While IDS has been much maligned for generating false positives and a management burden, deploying IDS internally may not bear the same onus since traffic between application servers and database servers is much more predictable.
Helm pointed out that underlying frameworks upon which web applications are built can sometimes have vulnerabilities. For example, last May hackers were actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise web servers and create a botnet. The Adobe ColdFusion application server platform has had its vulnerabilities too. “If the underlying framework is vulnerable, the applications built on it are vulnerable as well,” said Helm. “Even so, companies can’t patch the vulnerability as soon as it’s discovered. They have to do QA testing before the patch can go live. In the mean time, we have the ability to monitor it and if someone gets close to the vulnerability, we can alert immediately and they can do something about it.”
In addition to DB Networks’ new core IDS, there are other solutions that help prevent SQL injection attacks. Among them are the Acunetix Web Vulnerability Scanner; the Barracuda Web Application Firewall; the Percona Toolkit for MySQL; Imperva’s series of products for Web Application Security; and numerous other tools and products. Application Security Inc, recently acquired by TrustWave uses a positive security approach to block known attacks on SQL databases as does Israel based GreenSQL.