Breach Security Labs Releases Alert on “nihaorr1” Mass SQL Injection

Tuesday, April 29, 2008

Priority: HIGH

Impact: Potential for malware to be downloaded to website visitors. PCI DSS non-compliance.

Resolution: Verify blocking policy in web application firewall and remediate code flaws.

Who: As many as 500,000 vulnerable Microsoft® IIS web servers around the world have been attacked with a generic SQL injection, known as “nihaorr1”. Some of the affected organizations include:

• The United Nations
• The U.S. Department of Homeland Security
• The U.K. Government
• Aeroflot Russian Airlines

What: A SQL injection is a common attack that targets web applications through user-supplied input fields, such as web forms. The goal of this attack technique is to control the SQL database behind the application for the purposes of downloading its contents, erasing it or undertaking another malicious activity.

How: This recent attack has found a common way to exploit various SQL injection vulnerabilities in websites and inject malicious JavaScript™ into different pages on each site. When a potential victim visits one of the infected sites, malware is downloaded to the visitor’s computer.

Impact: The nihaorr1 assault on web applications is the most widely propagating application-layer attack to date. Not only has it hit hundreds of thousands of web applications around the world, but also it has done so using a single, generic attack on these custom applications.

Additionally, organizations impacted by nihaorr1 may be classified as out of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). Requirement 6.5.6 of the PCI DSS states that organizations should:

“...Cover prevention of common coding vulnerabilities in software development processes, to include the following…injection flaws (for example, structured query language (SQL) injection).”

Prevention: Perhaps the most surprising discovery associated with this attack is that it was entirely preventable. Had the developers of these web applications created them based on secure coding guidelines such as those from the Open Web Application Security Project (OWASP), their sites would have been protected. In addition, deployment of a Breach Security web application firewall prevents the attack.

Resolution: Breach Security’s web application firewalls enable security organizations to pinpoint security vulnerabilities in code for quick remediation and offer continuous protection by detecting and blocking hacks before they can reach the web application. Breach Security recommends remediation of the vulnerable code as a best practice as part of the normal development life cycle.

Breach Security WebDefend™ and ModSecurity Pro™ M1100 customers are already protected against nihaorr1. Customers should verify their security settings to ensure the appropriate prevention mechanisms are active.

For more information on this alert and other web application security news, please visit Breach Security Labs at www.breach.com or email support@breach.com.