Cybercrimes Love Affair With Havij Spells SQL Injection Trouble

Automated SQL injection attack tool makes database extraction as easy as a button click for cybercriminals

Todays exponential increase in attack volume and complexity can largely be chalked up to the cybercriminals creed of working smarter, not harder. It isnt so much l33t hackers toiling at code for hours that enterprises have to worry about. Instead, its the nontechnical crooks who can carry out their attacks with a few clicks of a button using automated tools that do the technical dirty work for them. In the database-cracking world, Havij stands as one of the most popular of these tools. As such, it should be on the radar of any security professional seeking to prevent costly data breaches within their environments.
If youre talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common, says Noa Bar Yosef, senior security strategist at Imperva.
Developed by Iranian hackers sometime in spring 2010, Havij is named for the Farsi word for carrot, which also doubles as colorful slang for the male sexual organ. Corny penetration jokes notwithstanding, the tool has so completely captured the hearts and minds of the black hat community that groups like Anonymous frequently train their legions on how to wreak havoc using it, says Josh Shaul, CTO of Application Security Inc.
So when I sat and read chat logs from Anonymous IRC rooms where they do hacker training, the only thing I ever see mentioned is Havij, Shaul says. The reason for that is Havij is awesome. And its as powerful and easy to use as could be.
Favored by hacktivists and financially motivated attackers alike, Havij automates bad guys SQL injection attacks by automatically detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting.
By using this software, a user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetch data from the database, run SQL statements, and even access the underlying file system and executing commands on the operating system, said a recent Imperva
executive report
(PDF). All of it is carried out through a simple GUI interface through which an attacker can carry out an attack with a few clicks.
Basically, you fire up the product: Theres a box at the top of the screen where it wants you to type some kind of Web page, so you type it in and then theres a button that says Analyze. Its like the Go button, and you click Go. Literally, thats it, Shaul says. So it comes back and says, Hey, I found a SQL injection potential on this site.
At that point, the tool returns information about what kind of server and DBMS system is running on the back-end and whether or not it is running with administrative privileges in the database.
So then there are a few other things that you can do. Theres a button thats just called Info, and if you click that button, itll go out and get a bunch of detailed info about the database, Shaul says. Theres a button called Table. If you click that button, itll go into that database and come back with a list of tables in that database that you can navigate, sort of like navigating through a Windows file explorer where you can click on the table name, and itll expand out. The ease of use and power of the tool should be enough to get the attention of enterprises seeking to prevent breaches, such as the one last spring at PBS that gave hackers the ability to post phony story headlines on the PBS site -- an attack that came at the hands of an attacker using Havij.
What it means for enterprises is that everybody out there that wants it has sort of industrial-grade SQL injection test kits at their fingertips, Shaul says. And if organizations arent really rigorously testing their applications for SQL injection vulnerabilities, theyre going to be missing something that an attacker is not going to miss.
The key to preventing SQL injection attacks starts at the application level because enterprises need to do a better job sanitizing input to neutralize the effects of injection queries. Obviously, though, theres a whole host of applications already in production that still need protecting.
Thats where database security tools with SQL injection blocking come into play.
SQL injection is all about dirty input. In the end, the solution is input sanitization. Thats an easy thing to say -- its not an easy thing to do. Youve got to put up some applications ... that are running that youd like to fix, but its going to take time. So the stop-gap measure that I think folks need to implement is database security, Shaul says. Bringing that security right to where the data lives is the best way to effectively protect it while youre going through the process of fixing these known vulnerabilities in the environment.
According to Rob Rachwald, director of security for Imperva, Havij, in particular, has characteristics that make it possible for blocking tools to detect activity in real time.
When it hits the website, it gives a certain fingerprint that says, Hey, Im an attack tool, Rachwald says. So you can block that traffic right there.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cybercrimes Love Affair With Havij Spells SQL Injection Trouble