2013 CHECK POINT ANNUAL SECURITY REPORT
02
_ THREATS TO YOUR ORGANIZATION
016
What Does an SQL Injection Attack Look Like?
SQL Injection Chronicle of Event
The following case depicts an actual example of a series
of SQL Injection attacks that took place between July
and October 2012 at a Check Point client’s system
environment. The attack was detected and blocked by
a Check Point Security Gateway. The case was reported
by the Check Point ThreatCloud™ Managed Security
Service team.
SQL Injection is a security exploit (CVE-2005-
0537) in which the attacker adds Structured Query
Language (SQL) code to a web form input in order to
gain access to resources or to make changes to stored
data. Chart 2-M shows the physical characteristics of
the attack. The marked text is the data that the hacker
tried to disclose with the SQL Injection (in this case,
usernames and passwords). The SQL commands were:
select, concat and from.
The attack occurred from 99 different IPs. Although the
target organization was located in Europe, the attacks
originated from a number of different locations, as
presented in Chart 2-M.
SQL Injections can be manually executed via a keyboard
or automatically deployed via scripted attacks. In our
example, the attack peaked with a burst of 4,184 attack
attempts launched within two days as depicted in Chart
2-L. These attacks used the same injecting pattern and
originated from a single IP source. This was most likely an
automatically deployed assault.
Top Attack Vectors
Buffer Overflow
32%
Memory Corruption
32%
Denial of Service
32%
Code Execution
24%
19
%
Stack Overflow
15
%
Registration Spoofing
10
%
Integer Overflow
8
%
Information Disclosure
6
%
Null Pointer Dereference
5
%
Privilege Escalation
2
%
Buffer Overrun
1
%
Authentication Bypass
July 22
Aug‘ 5
Aug‘ 19
Sept‘ 2
Sept‘ 16
Sep‘ 30
Oct‘ 14
Oct‘ 28
2500
1500
500
2000
1000
SQL Injection Events Rate
# of SQL Injection Events
Chart 2-l
Chart 2-k
Source: Check Point Software Technologies
