[Q1 2015] Cruel (SQL) Intentions

akamai.com

= SQLi attacks: case study

Technique used to exploit web applications

Attackers change the logic of SQL statements
executed against a database
Although not new, SQL injection (SQLi) attacks
continue to pose cloud security risks

Attackers may use the original or more evolved SQLi exploitation

methods

Automated injection tools streamline and simplify the

process

2 / [The State of the Internet] / Security (Q1 2015)

= SQLi attack categorization

Akamais Threat Research team developed a

technique to categorize SQLi attacks
This technique involved analyzing individual attack
payloads and determining intent behind each one
The data included more than 8 million SQLi
attacks targeting more than 2,000 unique web
applications over a period of seven days

3 / [The State of the Internet] / Security (Q1 2015)

= SQLi attack types

Malicious actors typically assess a web application for

vulnerability to SQLi
The database structure is probed so that the attacker
can retrieve contents remotely
The login mechanism is bypassed, allowing the
attacker to escalate privileges

A common and classic payload would be to send the payload OR 1=1

as the user name, then attempting to escalate privileges by logging in
with user name admin or 1=1--.

4 / [The State of the Internet] / Security (Q1 2015)

= SQLi attack types (continued)

Other SQLi attack types can include

Credential theft
Data and file exfiltration
Denial of Service (DoS)
Data corruption
Malicious file upload
Website defacement and malicious content injection
Remote command execution

5 / [The State of the Internet] / Security (Q1 2015)

= SQLi probing and testing

The most common SQLi attack over the seven-day study

period was SQLi probing and injection testing.
As a first step, malicious actors will assess all entry
points of a web application in search for a vulnerability
The attacker will send a wide range of characters with
syntactic meaning in SQL as well as blind-injection
related Boolean sequences or timed queries
These queries naturally results in large volumes of
traffic

Nearly 60 percent of HTTP transactions are attributable to these

probing attempts

7 / [The State of the Internet] / Security (Q1 2015)

= summary

Malicious actors use a variety of SQLi techniques to

perform different tasks

These attacks can extend well beyond simple data

exfiltration, and have the potential to cause more damage
than a data breach

It is not safe to assume that SQLi attacks lead only to data

theft

Privilege escalation, command execution, data infection or

corruption, and denial of service are among the many
ways these attacks can harm your business

8 / [The State of the Internet] / Security (Q1 2015)

= Q1 2015 State of the Internet Security Report

Download the Q1 2015 State of the Internet Security Report
The Q1 2015 report covers:

Analysis of DDoS and web application attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Attack frequency, size, types and sources
Security implications of the transition to IPv6
Mitigating the risk of website defacement and domain hijacking
DDoS techniques that maximize bandwidth, including booter/stresser
sites
Analysis of SQL injection attacks as a persistent and emerging threat

9 / [The State of the Internet] / Security (Q1 2015)

= about stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.

10 / [The State of the Internet] / Security (Q1 2015)