SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother's maiden name and more.
The Tenable Passive Vulnerability Scanner (PVS) contains a check for detecting SQL injection attacks. It is a very simple check that first looks for an HTTP request:
|pregex=^(GET|POST) /.* HTTP/1\.|
Next, it looks for a response that is not formatted as HTML:
At first glance you might be inclined to think this would lead to false positives. In fact, it turns out to be quite an accurate check. At one of the Tenable research sites we saw this alert:
When I went to the above URL manually, I was presented with an error page:
It appears that the error page was not rendering correctly (an error on the error page, how ‘bout that?). Viewing the source of the page revealed information about the problem:
The result of "View source" above contains valuable information that can be used in SQL injection attacks. This includes a table name and a column name visible in the SELECT statement. In addition, the page reveals the file system path in use on the web server. Finally, the error message tells us that the remote server is using a MySQL database. This is extremely valuable information for an attacker looking to exploit this potential vulnerability.
The parameter should be more thoroughly tested to see if SQL injection is indeed possible. However, the information gathered from the error message is certainly a good start for an attacker. It is important to configure the web application to not display this error message to the end user. Passive monitoring is an excellent method to monitor your web applications without any impact to the environment. Activity from normal users, potential hackers and even web spiders can all provide input that may result in displaying an unexpected SQL error.