Today’s exponential increase in attack volume and complexity can largely be chalked up to the cybercriminal’s creed of working smarter, not harder. It isn’t so much l33t hackers toiling at code for hours that enterprises have to worry about. Instead, it is non-technical crooks who can carry out their attacks with a few clicks of a button using automated tools that do the technical dirty work for them. In the database-cracking world, Havij stands as one of the most popular of these tools. As such it should be on the radar of any security professional seeking to prevent costly data breaches within their environments.
“If you’re talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common,” says Noa Bar Yosef, senior security strategist at Imperva.
Developed by Iranian hackers sometime in the spring of 2010, Havij is named for the Farsi word for ‘carrot,’ which also doubles as colorful slang for the male sexual organ. Corny penetration jokes notwithstanding, the tool has so completely captured the hearts and minds of the black hat community, that groups like Anonymous frequently train their legions on how to wreak havoc using it, says Josh Shaul, CTO of Application Security, Inc.
“So when I sat and read chatlogs from Anonymous IRC rooms where they do hacker training, the only thing I ever see mentioned is Havij,” Shaul says. “The reason for that is Havij is awesome. And it’s as powerful and easy to use as could be.
Favored by hacktivists and financially-motivated attackers alike, Havij automates bad guys’ SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.
“By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, running SQL statements and even access the underlying file system and executing commands on the operating system,” said a recent Imperva executive report. All of it is carried out through a simple GUI interface, through which an attacker can carry out an attack with a few clicks.
“Basically, you fire up the product, there’s a box at the top of the screen where it wants you to type some kind of webpage so you type it in and then there’s a button that says “analyze.” It’s like the “go” button, and you click “go.” Literally, that’s it,” Shaul says. “So it comes back and says, ‘Hey, I found a SQL injection potential on this site.’”
At that point the tool returns information about what kind of server and DBMS system is running on the backend and whether or not it is running with administrative privileges in the database.
“So then there are a few other things that you can do. There’s a button that’s just called “Info,” and if you click that “info” button, it’ll go out and get a bunch of detailed info about the database,” Shaul says. “There’s a button called “Table,” and if you click that button, it’ll go into that database and come back with a list of tables in that database that you can navigate sort of like navigating through a windows file explorer where you can click on the table name, and it’ll expand out and show you all the names of the columns in that table and you can read the data from the table, you can write data to the table and just dump this information out.” The ease of use and power of the tool should be enough to get the attention of enterprise seeking to prevent breaches such as the one last spring at PBS that gave hackers the ability to post phony story headlines on the PBS site, an attack which came at the hands of an attacker using Havij.
“What it means for enterprises is that everybody out there that wants it has sort of industrial grade SQL injection test kits at their fingertips,” Shaul says. “And if organizations aren’t really rigorously testing their applications for SQL injection vulnerabilities, they’re going to be missing something that an attacker is not going to miss.”
The key to preventing SQL injection attacks starts at the application level, as enterprises need to do a better job sanitizing input to neutralize the effects of injection queries. Obviously, though, there’s a whole host of applications already in production that still need protecting. That’s where database security tools with SQL injection blocking come into play.
“SQL injection is all about dirty input. In the end, the solution is input sanitization. That’s an easy thing to say, it’s not an easy thing to do. You’ve got to put up some applications that are stood up that are running that you’d like to fix but it’s going to take time. So the stop-gap measure that I think folks need to implement is database security,” Shaul says. “Bringing that security right to where the data lives is the best way to effectively protect it while you’re going through the process of fixing these known vulnerabilities in the environment.”
According to Rob Rachwald, director of security for Imperva, Havij in particular has characteristics that make it possible for blocking tools to detect activity in real time.
“When it hits the website it gives a certain fingerprint that says ‘Hey, I’m an attack tool,’” Rachwald says. “So you can block that traffic right there.”