Trending Articles

Blog Post

Technology

Next-Gen Injection: How Firewalls Can Be Broken

Next-Gen Injection: How Firewalls Can Be Broken

Injections are some of the most dangerous attacks to any web application. This technique makes use of an app’s ability to process data; an attacker simply sends malicious data to warp the application into a threat vector. It was once thought that Web Application Firewalls provide enough of a defense, but recent research has shown every single WAF-as-a-service tool to be vulnerable to mutations.

RASP security offers the modern response to these next-gen injection attacks.

What is SQL injection

In 2008, Heartland Payment Systems was one of the biggest payment processing providers in the US. With a legacy dating back to 1997, they had clambered to the top of a rapidly expanding online market. It looked like they could do no wrong.

And then, three people decided to shatter that reputation of reliable, safe payments. Wielding a SQL injection attack, they hopped onto the payment provider’s site and found a web form. Whereas normal users may have provided their contact details and described their issue, this gang was looking to cause disputes, not resolve them. Via this web form, they reached out to a Heartland Payment database and started prying out chunks of data. Of particular interest was the digital information encoded onto credit and debit cards’ magnetic strips. With this data, attackers are able to create counterfeit credit cards by imprinting the stolen information onto fabricated cards.

Within days, it was recognized as the biggest ever criminal breach of card data. Over 100 million cards were compromised, at the cost of hundreds of millions of dollars.

Their method of attack remains one of the most common vulnerabilities you’ll face. Injection has always held its place in the OWASP Top 10, and single-handedly empowers attackers to access the very databases they’re supposed to be kept out of. How?

SQL forms the backbone of database communication. It manages requests to fetch certain types of data from the hundreds of gigabytes in storage, and is vitally important to modern database architecture. Imagine a database as a table. Once a user requests a specific chunk of stored data, SQL pinpoints the correct column and row by checking coordinates in the query. Once the code identifies the type of request, it sends it onto the function that returns the data, or otherwise completes the request.

A traditional SQLi attack seeks to confuse and misdirect this process. It’s why the infamous SQLi code included a line seeking row ‘1=1’. Essentially a numerical dead end, oldschool SQL parsers had this major gap in their armor. From there, attackers could escalate their privilege to the point that they could recall data from the database itself.

Traditionally, an SQLi can be totally removed from the attack surface simply by installing a Web Application Firewall. This sits at the perimeters of an application, monitoring all communications flowing between the public and an exposed app. A user attempting to bamboozle the SQL parser with bizarre strings can be identified and completely cut off, before damage is dealt.

Unfortunately, the WAF’s power in preventing traditional SQLi attacks has led to widespread complacency; whilst some have considered the SQL injection attack dead in the water, the rapid evolution of attack vectors is seeing a scary mutation in the SQLi’s possibilities.

Next Gen SQLi: malformed queries

The WAF represents the first obstacle to any wannabe SQLi attacker. Bypassing this is now not only possible, but relatively easy. As WAFs block based on protocols, their defense techniques are static. Anything that isn’t a recognizable attack is simply let through. WAF vulnerabilities have always existed: they’ve only recently been measured in scope and scale. The results are concerning, to say the least.

The ‘1=1’ method may have been scrubbed out of modern attack patterns, but other numerical fiddling is still more than possible. A team of researchers assembled a tool, called AutoSpear, to break a number of common WAF-as-a-service products. Instead of ‘1=1’, AutoSpear would select a SQLi technique from its arsenal of inline comments, whitespace, and “2<3”. From this, the researchers discovered different patterns of transformations that performed best against each of the seven different WAF rulesets.

Like Superman taking off his suit and popping on a pair of glasses, WAFs are entirely fooled by the Clark Kent technique.

AutoSpear broke every single one of the seven cloud-based WAFs. As the tool utilized a machine learning algorithm in its request patterns, its likelihood of success was mutable. Its success varied dramatically across the 7 WAF products, from a measly 3% for ModSecurity to a success rate of 63% for Amazon Web Services’ and Cloudflare’s WAFs.

Also Read: Top 5 Enterprise Network Automation Tools

Reinforcing Your Firewall

 Firewalls are powerful pieces of technology, but are fundamentally non-adaptive. They fully rely on a clued-in team that totally understands the threat landscape, updating the protocols regularly, and even that comes with risks.

DevOps might be good, but they can’t see the future. Any new SQL injection risks the attacker simply waltzing into your database and running off with heaps of confidential data.

The first major way to support your WAF is by implementing safer SQL architecture. At every point, your public-facing apps need to rely on parameterised database queries. This essentially cleans the data being inputted into the form, knocking dead most forms of SQLi. However, this requires a lot of discipline: you need to use them everywhere, all the time.

There is a less hands-on approach. A Run-time Application Self-Protection (RASP) solution differs from a WAF, thanks to the fact that a RASP sits alongside the application, monitoring the app’s internals and current state. It offers protection against even cutting-edge zero-day attacks, as it’s able to identify app behaviors that are out of the ordinary. Upon an exploit being utilized, a RASP notifies you of its behavior – and shuts down any suspicious activity.

This way, your team is free to focus on the vulnerabilities that matter, further reinforcing your defenses against profiteering cybercriminals.

Review Next-Gen Injection: How Firewalls Can Be Broken.

Your email address will not be published. Required fields are marked *

Related posts