Automation is not only growing within the manufacturing industry, it is also seeing a spike in usage in the hacking community.
The increase in attack volume and complexity can largely chalk up to working smarter. It isn’t so much hacker geeks stressing over code for days that is the problem, rather it’s the just plain crooks that can carry out their attacks with a few clicks of a button using automated tools that do the technical dirty work.
In the database-cracking world, Havij stands as one of the most popular of these tools. As such, it should be on the radar of any security professional seeking to prevent costly data breaches within their environments.
“If you’re talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common,” said Noa Bar Yosef, senior security strategist at Imperva.
Developed by Iranian hackers sometime in spring 2010, the tool has such a strong following in the black hat community that groups like Anonymous frequently train their folks on how to use it, said Josh Shaul, CTO of Application Security Inc.
“So when I sat and read chat logs from Anonymous IRC rooms where they do hacker training, the only thing I ever see mentioned is Havij,” Shaul said. “The reason for that is Havij is awesome. And it’s as powerful and easy to use as could be.”
Havij automates bad guys’ SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.
“By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, run SQL statements, and even access the underlying file system and executing commands on the operating system,” said an Imperva executive report. All of it carries out through a simple GUI interface through which an attacker can carry out an attack with a few clicks.
“Basically, you fire up the product: There’s a box at the top of the screen where it wants you to type some kind of Web page, so you type it in and then there’s a button that says ‘Analyze.’ It’s like the ‘Go’ button, and you click ‘Go.’ Literally, that’s it,” Shaul said. “So it comes back and says, ‘Hey, I found a SQL injection potential on this site.'”
At that point, the tool returns information about what kind of server and DBMS system is running on the back-end and whether or not it is running with administrative privileges in the database.
“So then there are a few other things that you can do. There’s a button that’s just called ‘Info,’ and if you click that button, it’ll go out and get a bunch of detailed info about the database,” Shaul said. “There’s a button called ‘Table.’ If you click that button, it’ll go into that database and come back with a list of tables in that database that you can navigate, sort of like navigating through a Windows file explorer where you can click on the table name, and it’ll expand out.” The ease of use and power of the tool should be enough to get the attention of enterprises seeking to prevent breaches, such as the one last spring at PBS that gave hackers the ability to post phony story headlines on the PBS site — an attack that came at the hands of an attacker using Havij.
The key to preventing SQL injection attacks starts at the application level because enterprises need to do a better job sanitizing input to neutralize the effects of injection queries. Obviously, though, there’s a whole host of applications already in production that still need protecting.
That’s where database security tools with SQL injection blocking come into play.