Investigating SQL injection threats

About this task

This procedure describes investigating a suspected SQL injection attack, using the threat diagnostic dashboard.

Procedure

  1. From the To Do list, or from Investigate > Exceptions, open the Suspected SQL injection Cases dashboard. Each line is a case, with a Confidence (%) rating of certainty of an attack, and a risk level of the attack.
  2. Click View to evaluate for false positives. Hover over the selected case id and click Symptoms to open the SQL Injection Case Symptoms page. Every suspicious action is described, and the SQL string displayed. You can see the exact modifications the user made to strings. By progressing from string to string, you can observe how the attacker methodically gained more data using errors returned from previous queries.
  3. Click the id number to open the default diagnostic dashboard for SQL injection attacks, which is filtered by the incident's date and suspected web-application connection details. This helps narrow the investigation to database traffic that occurred during the attack. You can change or drop the filter to broaden the scope of investigation. Use the bottom grid to get more detailed information on the chart’s data. Note that if you move to a standard dashboard, all filters specific for the suspected SQL injection attack are canceled.
  4. Use these guidelines while investigating the charts:
    • Change the timescale to look for peaks at time of the attack
    • Look for violation of any security policy, and see if any violations correlate to other activity at the time of the attack
  5. Drill-down by changing filters, timeframe, etc. to see if there are differences across the system.
  6. Evaluate the charts in the dashboard:
    Activities count per time and object
    This chart contains the most used database objects in the time of the attack. By expanding the time frame of the dashboard you can compare the difference in activity before and after the attack. Click a cell if you want to filter for a particular object. The color indicates different object names.
    Error count per time and error
    This chart indicates how many SQL errors were generated by the web application. A high rate of SQL errors can indicate that some sort of SQL injection attack is taking place. The color indicates different error types.
    Outlier count per time and outlier reason
    An SQL injection attack involves a large number of new queries with a different structure than usual queries. Those queries generate outliers. Use this chart to see the volume and score of outliers generated by the offended web application.
    Violations count per time and violation
    During an SQL Injection attack the attacker is likely to violate security policies that log access to unauthorized objects. Compare the volume and types of violations to understand the risk of the attack.
    Suspicious error types
    Use this chart to explore specific SQL errors that are used in SQL injection attacks in order to exploit the vulnerability. Click a cell to filter the search and look at the SQL statement that generated this error. You may notice an injected SQL code.
    Suspicious object names
    Use this chart to view the suspicious objects that are used during SQL injection attacks. Expand the time frame of the search to see if those objects were used before the attack started. Compare the volume of the usage of those objects.