Detect  SQL Injection Attacks with Sax2

 

What is SQL Injection Attacks

With the growing up of B/S model application development, more and more programmer write program with it. Unfortunately, many programmers did not judge the validity of users’ input data during encoding, and then, there will be security risk in the application.

Malicious attackers submit a special section of database query code to the server, the server will disclosure some sensitive information when respond with corresponding result. This is SQL Injection Attacks. The main trend Firewall currently will not alarm when there is SQL attack because of the SQL Injection is via normal point and hidden and difficult to be detected, seemingly normal website visit.

The danger of SQL Injection Attacks

According to the statistics of CVE in 2006, there are more than 70% attacks based on web application. The SQL Injection Attacks increase year by year, it arrives at 1078 in 2006. Even though, these data is only for the vulnerability in universal applications currently.

CVE SQL Injection vulnerability

The danger of SQL Injection Attacks including:

     Change the data in database without authorization.
     Gain the administration authority of a site without authorization.
     Maliciously change content of a site without authorization.
     XSS attacks.
     Gain the control authority of the server without authorization.
     Add, delete and change the accounts in the server without authorization.
 

The process of detect and revert SQL Injection Attacks with Sax2

Some IDS software will execute effective detection for SQL Injection Attacks, though, firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks with IDS software Sax2.

The steps of SQL Injection Attacks are:

a) Determine environment to find the injection point.
b) Determine the type of database.
c) Guess datasheet.
d) Guess the field.
e) Guess the content.

The steps “Guess datasheet”, “Guess the field” and “Guess the content” are very important fro SQL Injection Attacks during the full process. Let’s analyze these there steps.

Sax2 will detect and alarm the attacks in network real-time. It will show the in the table Event when there is SQL Injection Attacks, see the figure 1.

Sax2 alarm the MS_SQL Injection Attacks real-time

Figure 1 Sax2 alarm the MS_SQL Injection Attacks real-time

The selected event in the Figure 1 shows the attacker’s IP 192.168.21.103, the victim’s IP 125.65.112.10. And the original message is “select * from [dirs]”, means enquire whether there is a datasheet named “dirs” in current database, in the Original Communication view.
The attacker will repeat the operation to gain the expected datasheet. He will try to guess the filed in the datasheet if found the corresponding datasheet in the database.

Sax2 analysis the attacker is guessing the filed in the admin database

Figure 2 Sax2 analysis the attacker is guessing the filed in the admin database

The code in the red circle in the Figure 2 show the attacker is guessing the “paths” filed in the admin database. Also, the attacker will repeat the operation till find the corresponding filed.

The attacker will determine the length of the filed and guess the content after found the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the content in the filed successfully. Sometimes, the attacker has to decryption the content if it in MD5 encryption.

Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your network security combine with firewall software.