Recently, US banks were warned about automated attacks coming from Havij, a SQL injection attack tool. While we've blogged on stopping SQL injection in the past, it is a topic always worth revisiting.
First, let's make clear what WON'T help. Earlier this month, Kevin Mitnick gave a talk at the US Naval Academy. The first lesson?
All the firewalls and intrusion detection systems in the world won’t be a guarantee that networks won’t be breached. There’s no such thing as an impenetrable system, and no such thing as bugless software. Kevin’s demonstration of exploiting vulnerabilities in widely used commercial software proves this. Moreover, this isn’t just software being used in the private sector. Many of the exploits he demonstrated take advantage of software that’s become an integral part of the way the military handles its information.
Havij exploits vulnerabilities in software and is totally invisible to network firewalls/IPS. Havij relies on a blind SQL injection vector, so if you protect against it you are safe. Here's how:
- Negative security model: Protect against SQL Injection by blacklisting certain known SQL injection manifestations.
- Positive security model: Every injection violates the normal application usage profile.
- Identifying automated interactions: Havij is not human and behaves like a robot. You can detect it by merely detecting the specific user agent string but also more subtle details such as constant values within the SQL attack itself.
- Clean code.
From a technology standpoint, only three types of products will help defeat Havij:
- Vulnerability scanners
- Code scanners
- Web application firewalls
Often, we see companies using vulnerability scanners and, to a much lesser extent, code scanning. These technologies are very important but they only find issues. Scanners tell you have problems but you have to figure out where they may be. Code review gives you a specific line to remediate, but this takes time. If you are under an imminent Havij attack, these products won't help with immediate risk.
OWASP has argued in the past that technologies focused on finding vulnerabilities are useful but have one major problem: they don't block attacks. This is why they recommend a web application firewall. (Full disclosure: we are a WAF vendor.) WAFs do provide a shield against immediate attack and--at least in our case--we can recognize Havij and stop it. Havij does come with some WAF evasion functionality--but it only works on Web Knight and ModSecurity.