Over the past few days, Network Box has been monitoring an increase in highly-targetted SQL Injection website attack activity. Currently, this only appears to be affecting certain versions of the Microsoft IIS web server, coupled with Active Server Pages (ASP) scripting and Microsoft SQL Server. The attacker attempts to modify sql database records for websites.

Wikipedia defines SQL Injection as: a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

These forms of attack are extremely hard to stop at the gateway; as the attacks are application dependent and therefore generic IDP/IDS rules can provide only limited defence. Network Box has a number of IDP rules in place, however these only guard against known specific attacks at which time it may be too late in defending against 0 day targeted attacks against web servers. Application level security by the way of strict input validation is ultimately the only way to thwart these type of attacks at a server level.

In response to this heightened activity, Network Box Security Response has developed two new IDP modules (named HTTP-S-SQLINJECT and HTTP-S-SQLINJWORM) to further improve our detection and protection abilities for generic (HTTP-S-SQLINJECT) and specific known (HTTP-S-SQLINJWORM) SQL Injection threats. Previously, our protection was under the general-purpose HTTP-S-WEBATTACK module. This new protection has today been released, and is available for all our customers running the current NBRS-3.0 firmware. Customers may now see a reduction in blocks named HTTP-S-WEBATTACK - as these types of attacks will now be specifically detected and blocked as HTTP-S-SQLINJECT and/or HTTP-S-SQLINJWORM.

Network Box Security Response continues to closely monitor the situation, and will further refine and improve our protection signatures and heuristics, as we see the attacks change.

However, we do recommend that customers operating public webservers (in particular those accessible to the Internet) do review the scripts and applications on their web servers and ensure they are up-to-date and patched so as not to be vulnerable to this class of attack.

Back