Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.
The weakness in the system can be a bug, a glitch, or a design vulnerability.
These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.
Depending on the flaw being exploited this may include Exploitation for Defense Evasion. If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance.
This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.
Signs of SQL Injection Activity
- An internal host sends requests to a Web server and embeds SQL fragments into HTTP Post data or the URL to gain access to the backend database; the requests appear machine generated due to the large volume and rate of arrival
- The threat score is driven by the volume of HTTP requests containing SQL fragments and the size of the returned data
- The certainty score is driven by the number of requests sent and their classification as SQL fragments
Why Attackers Use SQL Injection
- An infected system that is part of targeted attack is looking for vulnerabilities in an internal Web app through which to access the database integrated into it, or is harvesting information for later exfiltration
- An IT-operated vulnerability scanner is scanning for Web app vulnerabilities
- A software application on the host uses the unsafe practice of passing passes SQL statements in HTTP Post data or in a URL
Business Impact of an SQL Injection
- Probing and potentially exploiting an internal Web application’s vulnerabilities can be a prelude to a targeted attack getting access to data and then exfiltrating it
- Application software that passes SQL statements in HTTP Post data or as part of a URL may be vulnerable to attackers as they can send very different input than the application writer expects
How to Investigate SQL Injections
- Verify systems identified as the source of SQL injection attacks should be communicating directly with SQL servers; download the PCAP to see the entire HTTP Post data or the URL to determine if its behaving as expected
- If this pattern is coming from neither an IT-run vulnerability scanner nor from software that by design sends SQL statements in requests, check for presence of malware on the host