During the periodic audit of a website access logs collected by Quttera WAF we encountered multiple malicious HTTP requests trying to exploit SQL injection vulnerability by injecting malicious SQL queries into HTTP user string value.
Constant vigilance is the best way to ensure your systems remain secure. Sometimes, malicious attacks will attempt to take advantage of vulnerabilities within your website's code that can leave your site disabled and your audience unable to visit the site.
In this post, we'll take a closer look at one such situation. During a periodic audit of a website, Quttera's Web Application Firewall (WAF) encountered numerous malicious HTTP requests. These requests were attempting to exploit an SQL injection vulnerability.
SQL Injection and its Uses
To better prepare your systems from the threat of an SQL injection attack, it's important to first understand what it is, how hackers use it to compromise your systems, and what it does. So, what is SQL injection?
It's one of the most seen tactics that hackers and malicious actors use. An SQL injection is when a hacker sends an injection of malicious code. This code has the potential to ruin your otherwise healthy database.
The hacker stores the malicious code inside of SQL statements, which are delivered through website input. A common scenario in which it happens might go like this:
- A site visitor needs to provide information such as a login or username.
- The visitor provides you with an SQL statement instead of the username.
- The SQL statement is then delivered to your site, where it operates on your database without your knowledge.
Hackers love this sort of attack because it's relatively easy for them to perpetrate. It can also be difficult for compromised website owners and operators to know they've been attacked. A slow lag time in responding to an attack can cause untold damage to an affected system.
What is the HTTP User-Agent String in an HTTP Request?
It's also critical to understand some of the more common vectors for initiating an SQL injection attack. This is where a user-agent string comes in.
A user-agent is a term for a type of software that represents a unique website visitor or user. The agent then acts as a liaison between the user and the website content they plan to engage and interact with.
Some common forms a user-agent takes are website browsers or email clients, which open user messages and allow them to read their emails. The user-agent functions as a client in other scenarios as well.
Why Include an SQL Injection in a User-Agent String?
Now, a little more background on why a user-agent string includes SQL injections.
In many cases, an SQL injection gets added to form fields. The values of these fields are then used for an SQL query. The use of a user-agent string in HTTP requests can have one of two reasons:
- To complete specific HTTP requests when the app attempts to create output or HTML included on the user-agent string.
- Collect data or statistics.
In either situation, the user-agent string value is then added to the SQL query. The HTTP client application automatically adds the user-agent string. This means that there is a high probability of the user-agent string value not being validated.
This creates a dangerous scenario in which SQL injections can become more easily facilitated. A similar type of attack occurred recently.
Source of the Attack
An SQL injection combines the worst elements of cyberattacks. It takes advantage of vulnerability exploits. It's sophisticated in nature so that even those with a background in cybersecurity may fall prey to it. And as mentioned above, it can become sneaky - in many cases. The impacted party won't know they're infected until too much damage has been done.
In the specific attack we encountered, we discovered Russian nationals as the culprits. Their WHOIS information (a service that tracks names linked to domains) traced the IP links to a party referred to as "IT Resheniya LLC."
It's anyone's guess whether this party is a hacking front or simply an unsuspecting party used as a cover. But we uncovered this attack that attempted to submit numerous malicious HTTP attacks.
It's a scary proposition for many website owners. If this type of attack could become perpetrated so easily, what chance do you have in fending off hackers and other malicious actors? While there's no 100% failsafe for preventing these kinds of attacks, there are preventative measures you can take to mitigate the risk you face.
How to Protect Your Website from SQL Injection Attacks
Adapting to cyber threats is all about balancing out prevention and response. By being proactive and focusing on preventing attacks from occurring in the first place, you can better secure your systems. Focusing on response allows you to account for the fact that you won't be able to prevent everything but can still adopt a strong reactive posture when attacks find their way through your security systems.
The best move you can make is to partner with a trusted provider of threat detection and protection services. For that, you can turn to Quttera's ThreatSign! platform. ThreatSign provides DNS and endpoint WAF solutions.
SQL injection malware can cause a whole host of complications to your website. It can leave your site paralyzed, causing damage to both your site's performance and your business's reputation. With ThreatSign, your website and your business will have protection against SQL injection malware.
These measures don't just protect your site from SQL injection - they protect it from a variety of attacks. As cyber threats grow more complex and sophisticated by the day, it's critical to identify a flexible, comprehensive website security solution.
With Quttera's ThreatSign, you'll have access to an "all-in-one" detection and protection platform. Why look to multiple providers for multiple security needs when you can find all of them under the same convenient roof?
Visit our website for more on the ThreatSign website security platform.