TORONTO — The frequency and scope of SQL injection attacks has exploded in the last year or two, with thousands of legitimate Web sites having been compromised and used to serve malware or further Web exploits. That’s the bad news. The good news is that there are some remarkably effective techniques that security professionals can use to identify and recover from these attacks.
The best tool security staffs have at their disposal in these cases is a forensic analysis of the database, Kevvie Fowler (below), director of managed security services at TELUS, said during a talk at the SecTor 2009 conference here Tuesday. SQL injection vulnerabilities are quite well understood, Fowler said, but the specific techniques that attackers use and the tracks they leave behind haven’t been examined as closely.
“Nothing can detect and prevent all SQL injection attacks,” said Fowler. “But the attacks leave specific fingerprints in the database cache. Reading the registry, reading the system files, creating tables, all of this leaves traces.”
The interesting part is that the attackers don’t seem to care. Fowler, who does a lot of forensics work on database servers, said that very few attackers have any interest in trying to cover their tracks on the database server itself. They’re far more worried about getting their malware on the Web site and then onto users’ machines. Many of the sites that are compromised in the mass SQL injection campaigns are only used by attackers for a short period of time.
If someone comes along days or weeks after the attack takes place and discovers their techniques and what they loaded onto the server, so be it. There are plenty of other vulnerable sites to go after.
As a result, Fowler said that the cache on a compromised database server can be a treasure trove of valuable data for security professionals trying to understand what happened.
“A lot of the techniques attackers use are lost once they hit the database server,” he said. “All of these things that are normal fare for SQL injection force the database server to cache the activity.”
Fowler also has written a new tool called Hypnosis, which could be used to detect an attack by the Pangolin SQL injection toolkit. Hypnosis is a command-line tool designed to let users reach into the database server’s cache and see whether an attack has occurred and what happened.
Fowler plans to release Hypnosis on Applicationforensics.com within a few weeks.