Concrete example of pre-exploration web attack in 2022

Blog  — Wed 19 Oct 2022

It is estimated that 60% of all web traffic on the internet involves bots, or robots if you will. Some are friendly, others are malicious. Examples of friendly bots include well-known major search engines. These come along to include your website in their search results. In this article we will show you an example of a malicious bot however.

This time we highlight an example that targeted web software specifically to show you what happens on a daily basis. Often out of sight of website or webshop owners. Forendox caught this attempt "in the wild" in recent days.

This is a prior exploration that is not too common and uses the so-called referer header. Referer should actually have been spelled as referrer, but this misspelling has made it into the standards and has been in use worldwide for decades. That doesn't matter for its workings though. What matters is that the referer is a piece of data that tells a website where a visitor came from.

To explain that briefly; suppose you are at www.overheid.nl and click on a link to www.werkenbijdeoverheid.nl. The first website you clicked the link on will set 'www.overheid.nl' as a referer. So that the second website knows where you came from.

There are a lot of ifs and buts to this for surfing visitors, such as enhanced privacy capabilities and privacy-friendly settings. For this example, those are irrelevant, because this bot abuses the referer header itself. Without you getting involved.

The preliminary exploration

What was entered as a referer by the bot during this malicious pre-exploration is the following text:

0'XOR(if(now()=sysdate(),sleep(7),0))XOR'Z

That looks pretty nonsensical to most people. Yet it isn't. They are trying something.

The piece of text above arrives via the referer header at, say, your website. Your website may be collecting statistics. Then it stores the referer. And during that storing, things might go wrong.

This text tests whether the website is susceptible to a weakness called SQL injectionSQL Injection is a type of attack in which database commands are abused in order to perform actions that were not intended to happen.. If it is, then this referer is not just a strange text, it suddenly becomes a computer instruction.

The instruction is short but powerful; it asks the website to wait 7 seconds. This allows the malicious robot that tried this to learn something. If the website answers within 7 seconds, which is common, then the bot learns that this website is not susceptible to SQL injection. But if the response takes 7 seconds or longer, then chances are that this website is indeed vulnerable to SQL injection.

The consequences

A next step may be for this bot to note your website on a list, if it was found to be vulnerable. Later, an attack will then be considered that really exploits the SQL injection in a big way. With more instructions, the criminals behind this malicious bot may be able to steal some or all of the data from your website.

SQL injection is a weakness that fortunately is slowly becoming less common. It has been around for 20 years. Good modern software no longer suffers from it. Yet even in 2022, 1.162 new vulnerabilities have been found in software that enable SQL injection. So not every developer is aware of it. Also, this weakness is in OWASP's top 10 every year because there is still a lot of software in circulation that is susceptible to it.

The solution

Forendox's solutions detect and protect against SQL injection, as well as many other attack vectors. Too often, there is little or no visibility into digital services. Actively monitoring, detecting and warding off problems is a must. As is the timely application of updates and periodic mapping of attack vectors. Please feel free to contact us to further discuss this topic together.