DoS Attacks Using SQL Wildcards Revealed

DoS Attacks Using SQL Wildcards Revealed

Summary: Yesterday, Ferruh Mavituna of Portcullis released a whitepaper entitled "DoS Attacks Using SQL Wildcards", with some  insightful comments on how it's possible to multiply the attack tactics discussed to the point where not even a botnet would be needed to successfully accomplish them.Summary of the paper :This paper discusses abusing Microsoft SQL Query wildcards to consume CPU in database servers.

SHARE:

Yesterday, Ferruh Mavituna of Portcullis released a whitepaper entitled "DoS Attacks Using SQL Wildcards", with some  insightful comments on how it's possible to multiply the attack tactics discussed to the point where not even a botnet would be needed to successfully accomplish them.

Summary of the paper :

This paper discusses abusing Microsoft SQL Query wildcards to consume CPU in database servers. This can be achieved using only the search field present in most common web applications. If an application has the following properties then it is highly possibly vulnerable to wildcard attacks:

1 - An SQL Server Backend; 2 - More than 300 records in the database and around 500 bytes of data per row; 3 - An application level search feature

As you might notice I have just described 90% of Microsoft SQL Server based CMSs, blogs, CRMs and e-commerce web applications. Other databases could be vulnerable depending on how the applications implement search functionalities although common implementation of the search functionality in SQL Server back-end applications is vulnerable.

The paper also outlines various mitigation strategies such as white listing, CAPTCHA security, limiting SQL query execution time, preventing application level DoS, and CSRF protections. Informative reading, however, from a pragmatic perspective the malicious parties are naturally more interested in abusing the vulnerable databases than shutting them down. An insecure and easy to extract database with credit card numbers is worth more than the insecure and easy to extract database with credit cards numbers that's offline.

Topics: Servers, E-Commerce, Malware, Microsoft, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion