Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for SQL Injection Attacks

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for SQL Injection Attacks

May 15, 2008
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) warns the web site administrators to be cautious about SQL injection in the raise of SQL injection attacks these days, and recommends checking the web server access log and web site vulnerability.

In the recent years the SQL injection attack against web sites has been drastically increased. Especially from about March 2008, JPCERT Coordination Center (JPCERT/CC)(*1) and security vendors in Japan and abroad have announced one after another that hundreds of thousands of web sites have been falsified or embedded with malicious code by SQL injection attacks. On May 5, SANS Institute(*2) has issued the security advisory for an SQL injection worm. About one third of the web site (web application) vulnerabilities reported to IPA are about the SQL injection vulnerability(*3).

SQL (Structured Query Language) is a computer language used by web applications to construct queries to interact with databases. Many web applications build an SQL statement based on user input. If there is a problem in the way to compose a statement, a maliciously crafted SQL statement can be injected into the query to the database. The SQL injection attack refers to the attacking technique exploiting this problem. When exploited, an attacker could manipulate the database and leak or falsify data(*4).

If a web site uses databases, its operator should check the web server access log regularly to make sure that the SQL injection attack has not occurred. If it has, check and confirm that the databases does not contain unrecognized links. The operator also needs to check the web site for vulnerabilities and implement appropriate countermeasures.

IPA provides information on the countermeasures against the SQL injection attack in the guideline “How to Secure Your Web Site”. IPA has also released “iLogScanner”, a simple SQL injection vulnerability checking tool, on April 18(*5). This tool examines the web server access log and identifies the character strings often used in the SQL injection attacks to analyze how many attacks are attempted daily against a given web site and whether the attacks have compromised the web site through the vulnerabilities.

For example, when IPA analyzed the access log of OSS iPedia(*6), a database of open source software information maintained by IPA, for the period from Jan 2008 to April 2008, there were 44 possible SQL injection attacks. No attack was successful, but as shown in the Figure 1, there were 29 attacks in April alone and the number has been increasing compared to earlier months (January to March). iLogScanner is a Java applet tool to run in a browser and thus easy to use for everyone. Since its release on April 18, it has been loaded more than two thousands times.

iLogScaner is a simple checking tool and not a penetration testing tool. IPA recommends that even if the tool does not detect any attack, do not let the guard down and perform a vulnerability testing for the web site. IPA hopes that the web site developers and security vendors introduce iLogScanner to their customers and that could help them improve security of their systems.

Figure 1.”iLogScanner”(SQL Injection Vulnerability Checking Tool) Analysis Example

References

Footnote

(*1)JPCERT Coordination Center.
http://www.jpcert.or.jp/at/2008/at080005.txt (in Japanese)

(*2)SANS Internet Storm Center.
http://isc.sans.org/diary.html?storyid=4393

(*3)Reporting Status of Vulnerability-related Information about Software Products and Websites [2008/1Q (Jan – Mar)]
http://www.ipa.go.jp/security/vuln/report/vuln2008q1-e.pdf

(*4)For more information on SQL injection, please refer to
http://www.ipa.go.jp/security/vuln/vuln_contents/index.html (in Japanese)

(*5)Released an SQL Injection Vulnerability Checking Tool for Web Sites
http://www.ipa.go.jp/security/vuln/iLogScanner.html (in Japanese)

(*6)OSS iPedia aims to promote the use of OSS (Open Source Software) and provide a structured database of basics on OSS, technical information and application examples of using OSS. Its name “OSS iPedia” is a coined term made of “OSS”, “i” for Information and “Pedia (Paideia)” that means education, knowledge and wisdom in Greek.
http://ossipedia.ipa.go.jp/en/

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: