Passively Detecting SQL Injection
SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother's maiden name and more.
The Tenable Passive Vulnerability Scanner (PVS) contains a check for detecting SQL injection attacks. It is a very simple check that first looks for an HTTP request:
| pregex=^(GET|POST) /.* HTTP/1\. |
Next, it looks for a response that is not formatted as HTML:
match=!<html>
match=!<HTML>
At first glance you might be inclined to think this would lead to false positives. In fact, it turns out to be quite an accurate check. At one of the Tenable research sites we saw this alert:
When I went to the above URL manually, I was presented with an error page:
It appears that the error page was not rendering correctly (an error on the error page, how ‘bout that?). Viewing the source of the page revealed information about the problem:
The result of "View source" above contains valuable information that can be used in SQL injection attacks. This includes a table name and a column name visible in the SELECT statement. In addition, the page reveals the file system path in use on the web server. Finally, the error message tells us that the remote server is using a MySQL database. This is extremely valuable information for an attacker looking to exploit this potential vulnerability.
Conclusion
The parameter should be more thoroughly tested to see if SQL injection is indeed possible. However, the information gathered from the error message is certainly a good start for an attacker. It is important to configure the web application to not display this error message to the end user. Passive monitoring is an excellent method to monitor your web applications without any impact to the environment. Activity from normal users, potential hackers and even web spiders can all provide input that may result in displaying an unexpected SQL error.
Related Articles
Four Questions to Minimize the Cyber Risk of Your Public-facing Assets and Web Apps
November 17, 2021Ask the following four questions to help reduce cyber risk in your public-facing assets and web apps.
Cybersecurity Pros Face Significant Challenges with OT Security: Ponemon Report
April 5, 201962% of organizations in industries relying on operational technology experienced two or more business-impacting cyberattacks in the past 24 months, according to a report from Ponemon Institute an...
Recap: Geeking Out II with Marcus
April 15, 2013Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there...
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Passive Network Monitoring