akamais [state of the internet] / security

Q1 2015 State of the Internet Security Report Cruel (SQL) Intentions

Selected excerpts

SQL injection (SQLi) is an attack method employed by malicious actors to exploit web
applications. When an attacker locates vulnerability in an application, they are able to
change the logic of the SQL statements executed against the database.

Although SQLi has been employed since the late 90s, it continues to top industry lists of
web application security flaws and risks. Akamais Threat Research team developed a
technique to categorize SQLi attacks through individual attack payload analysis and
determination of intent behind each one. Over a seven-day study period, the team collected
data from Akamais Kona Site Defender web application firewall, analyzing more than 8
million SQLi attacks targeting more than 2,000 customer web applications.
While original SQLi methods are still in use, new techniques have evolved. Moreover,
automated injection tools make it easy to complete complex steps in the process.

Through careful analysis, the team identified the goals of SQLi attacks. The first goal was
SQLi probing and injection testing. This enables the attacker to assess the web application
for vulnerability to SQLi. Part of this process includes locating all entry points and sending
string sequences to sense whether the application is vulnerable.
If an application is vulnerable to SQLi, the malicious actors next step is to learn the type
and structure of the database and associated information. Once the attacker has a clear
understanding of the type and structure of the database and its tables, remote data
retrieval can proceed via techniques such as data extraction or blind SQLi.

Other attack types include login mechanism bypass and privilege escalation, business logic
subversion, credential theft, and data corruption. Additionally, SQLi attacks can be used to
generate Denial of Service (DoS) attacks that can overload and shut a database. SQLi attack
types designed to deface websites might insert adversarial content that appears to users as
legitimate web content.
The Threat Research teams analysis revealed that more than 96 percent of the ttacks were
over clear HTTP vs. HTTPS (encrypted). Of the 11 SQLi attack types analyzed, three attack
vectors were responsible for more than 98 percent of the detected attack attempts.

The most common attack type observed in the study period was SQLi probing and injection
testing. These probing attempts produce a large volume of traffic, and accounted for nearly
60 percent of HTTP transactions during the study period.

akamais [state of the internet] / security

Credential theft was the second-most frequently observed attack type, representing more
than 23 percent of the total attacks. Although this category is a subset of content retrieval,
it is unique and large enough to merit its own focus.

Most targeted SQLi attacks require the malicious actor to probe the database environment
and extract pertinent information. Not unexpectedly, more than 1 million of the malicious
transactions (15.5 percent of the total) attempted to carry out such actions, making this
attack type the third most common type observed.

Malicious actors utilize a variety of SQLi attack techniques to carry out many different
tasks. Well beyond simple data exfiltration, these malicious queries have the potential to
cause far more damage than a data breach. When generating threat models for your web
applications, do not assume that data theft is the only target and risk of SQLi attacks. These
attacks can imperil your business by elevating privileges, stealing, infecting or corrupting
data, denying service, and more.
Get the full Q1 2015 State of the Internet Security Report with all the details

Each quarter Akamai produces a quarterly Internet security report. Download the Q1 2015
State of the Internet Security Report for:

Analysis of DDoS and web application attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Attack frequency, size, types and sources
Security implications of the transition to IPV6
Mitigating the risk of website defacement and domain hijacking
DDoS techniques that maximize bandwidth, including booter/stresser sites
Analysis of SQLI attacks as a persistent and emerging threat

The more you know about web security, the better you can protect your network against
cybercrime. Download the free the Q1 2015 State of the Internet Security Report
at http://www.stateoftheinternet.com/security-reports today.
About stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai, serves as the home for content and
information intended to provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including Internet connection speeds,
broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors
to stateoftheinternet.com can find current and archived versions of Akamais State of the
Internet (Connectivity and Security) reports, the companys data visualizations, and other
resources designed to help put context around the ever-changing Internet landscape.