The Simplest Way to Detect the SQL Injection Attack (SQLi)

SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application.

A SQLi attack involves inserting a malformed SQL query into an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited. Using <<injection flaws>>, they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi. They involve sending entrusted data to the interpreter as a part of the query. The attack tricks the interpreter into executing commands or accessing data. Attackers use this exploit to modify entries in your database, execute commands on the database (delete databases, change permission and so on) and read and infiltrate data from your databases.

Remediating SQLi attacks involves fixing coding defects that allow user-supplied input that can contain malicious SQL from modifying the logic of the query.

The first step in dealing with SQLi exploits is detecting and investigating them.  When being under attack, the following questions are critical:

• When was I attacked?

---

• Where was I attacked?

---

• How widespread was the attack?

---

• Were any files or tables overwritten?

---

• Who is attacking me, and are others being attacked as well?

---

AlienVault USM to Detect SQL Injection Attacks

AlienVault USM can help you detect these attacks and answer the questions above with several integrated security technologies including host-based IDS, network IDS and real-time threat intelligence. you can check the official AlienVault website from here:  << http://www.alienvault.com/products?utm_medium=Advertising&utm_source=THN&utm_content=SE >>

The Network Intrusion Detection (NIDS) built-in to AlienVault USM gives you the ability to monitor all connection requests coming to your web server, plus it includes built-in correlation directives to spot activity indicative of a SQLi. Since the threat landscape is always changing, the Network IDS signatures are updated weekly based on threat research

In addition, AlienVault USM uses real-time threat intelligence from the AlienVault Open Threat Exchange (OTX) to spot connections with known bad actors. These are known malicious hosts or attackers whose IPs have shown up in OTX because they attacked other OTX contributors, have been identified by other threat sharing services we use, or have been identified via independent research conducted by our AlienVault Labs team.

USM also includes a Host-based Intrusion Detection System (HIDS) so you can monitor activity locally on a server. In this case, the HIDS agent would be installed on the web server itself, parsing the logs on your Apache or IIS server. Again, the built-in correlation rules in AlienVault USM make it possible to detect activity consistent with SQLi attacks and alert you immediately.  The AlienVault HIDS also monitors changes to files so you have visibility into which files and tables in your database were affected by the attack.

Keywords:

SQLi, Attack, IDS, Web applications, AlienVault, Malicious, Coding