A look at the last 6 months of web application attacks show an interesting trend. Hackers are bypassing traditional defenses like firewalls that are based on methods like signatures, heuristics and data flow analysis. This post outlines how these recent attacks were carried out, what could have been done to prevent them, and whether runtime application security would be an appropriate solution for protecting against future attacks (as opposed to traditional perimeter solutions).
According to Ponemon Institute's survey on application security, SQL injection (SQLi) is the most preferred vector by hackers totaling 54% of all 2015 attacks, followed by cross-site scripting (XSS) & cross-site request forgery (CSRF). Let's look at a few examples of these breaches on production applications and see how runtime protection is becoming a critical part of a layered security architecture.
SQLi at National Bank in Qatar (link)
It appears that sqlmap was used to perform the injection. The screen shot posted shows comments being used to early terminate the statement and the presence of a tautology. Whether that's the actual query used is unclear. However, tautologies (eg. 1=1) or always true statements will bypass WAFs, Firewalls, other security systems that don't understand the queries.
So Qatar National Bank (qnb) was apparently hacked with SQLi, from nb/Backup/www.qatarbank.com/log pic.twitter.com/xIx3mkS8lA— Alejandro Ramos (@aramosf) April 26, 2016
Panama Papers Leaks (link)
The attacker was successful at hitting login pages with this POST eg UserId=11111’ and 1=convert(int,(select top 1 login from users where OrionID=1))-- &Password=12345&submit=Login
This is a unique way of making a tautology "1=1 aka true" …and 1=convert… “ From there you get into the email server as a privileged user and hunt around for other info (usernames, passwords, locations of things to dig into). No WAF or Firewall would have protected against these.
Time Warner Cable (link)
SQLi attack on custom code was carried out but also applicable to legacy applications written in older versions of Java, .NET etc
4,000 records records were compromised. The records included usernames, encrypted passcodes and email addresses. Legacy Code can be protected very easily with Runtime Application Security solutions using plugins or SDK.
Other high profile classic SQLi breaches include:
- 1-800-Flowers hacked, sensitive data stolen (link)
- TalkTalk breach (link)
- Attackers use sql-injection-flaw (link)
These are just a few examples of how hackers have gotten creative with more advanced Tautologies, fuzzing and other creative hacks. Newer methods like language-theoretic security (LANGSEC) will monitor and block these attacks. Prevoty Runtime Application Security solutions based on LANGSEC including context (Who, What, Where, and When) take a very unique approach to monitor and prevent these SQLi or XSS attacks to your applications. Majority of the ones listed above would have been prevented by Prevoty right of the box. Signatures, Heuristics and Data Flow Analysis are older, imprecise techniques that hackers know how to bypass. It is time to move to the next generation of technology.
Learn more about LANGSEC? Check out Prevoty Co-Founder & CTO Kunal Anand's talk at OWASP AppSec California: