2013 CHECK POINT ANNUAL SECURITY REPORT
02
_ THREATS TO YOUR ORGANIZATION
016
What Does an SQL Injection Attack Look
Like? SQL Injection Chronicle of Event
This case shows a real example of a series of SQL
Injection attacks that took place between July and
October 2012 in a Check Point customer environment.
The attack was detected and blocked by a Check Point
Security Gateway. The case was reported by the Check
Point ThreatCloud Managed Security Service team.
SQL injection is a security exploit (CVE-2005-0537)
in which the attacker adds Structured Query Language
(SQL) code to a web form input in order to gain access
to resources or to make changes to stored data. Chart
2-M shows how the attack looks. The marked text
is the data the hacker tried to disclose with the SQL
Injection (in this case, usernames and passwords). The
SQL commands are: select, concat and from.
The attack occurred from 99 different IPs. Although the
target organization is located in Europe, the attacks were
originated from many different locations, as presented in
the chart 2-M.
SQL Injection can be done manually (a hacker using a
keyboard) or automated (scripted attack). In this case, as
shown in the chart 2-L , the peak of the attack was a burst
of 4,184 attack attempts (most likely automated) that were
launched during two days, using the same injection pattern and
originating from a single source IP.
Top Attack Vectors
Buffer Overflow
32%
Memory Corruption
32%
Denial of Service
32%
Code Execution
24%
19
%
Stack Overflow
15
%
Registration Spoofing
10
%
Integer Overflow
8
%
Information Disclosure
6
%
Null Pointer Dereference
5
%
Privilege Escalation
2
%
Buffer Overrun
1
%
Authentication Bypass
July 22
Aug‘ 5
Aug‘ 19
Sept‘ 2
Sept‘ 16
Sep‘ 30
Oct‘ 14
Oct‘ 28
2500
1500
500
2000
1000
SQL Injection Events Rate
# of SQL Injection Events
Chart 2-l
Chart 2-k
Source: Check Point Software Technologies