DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Join us tomorrow at 1 PM EST: "3-Step Approach to Comprehensive Runtime Application Security"
Save your seat
  1. DZone
  2. Data Engineering
  3. Databases
  4. Hacking is Child's Play: How My 3 Year Old Performed a SQL Injection w/ Havij

Hacking is Child's Play: How My 3 Year Old Performed a SQL Injection w/ Havij

Troy Hunt user avatar by
Troy Hunt
·
Oct. 16, 12 · Interview
Like (0)
Save
Tweet
Share
10.98K Views

Join the DZone community and get the full member experience.

Join For Free
You know what really strikes me about a lot of the hacks we’ve seen lately? It just seems too easy. I mean we’re seeing a huge number of attacks (an unprecedented number, by some figures) and all too often the perpetrator is a kid. I don’t mean that in a relative sense to myself as I get older, I mean literally a child.

The problem, of course, is that many of these “hacks” have become simple point and shoot affairs using freely available tools. In the case of SQL injection, tools such as Havij mean that even if you don’t know your indexes from your collations or your UDFs from your DMVs, so long as you can copy and paste a URL you can be an instant “hacker”.

In fact I reckon it’s so easy that even my 3 year old can be a successful hacker. Turns out that’s not too far from the truth:

See how easy it is? Let’s move on and let me give you some more context around the ease and prevalence of these attacks. Firstly, remember that injection remains in the number one spot in the OWASP Top 10. What makes SQLi particularly dangerous is that it’s classified as both “easy” to exploit (which I think we can now all agree on) and with an impact of “severe”.

How severe? As in the example above, SQLi can readily be used to access stored credentials in a vulnerable site and even though these were salted and hashed, they’ll easily fall victim to a brute force attack. Last year it was SQLi which brought down Sony Pictures and it was also allegedly SQLi that was behind this year’s LinkedIn breach. It is very, very prevalent.

A quick look through YouTube and you’ll see tutorials such as SQL Injecting With Havij which is notable not for its content, but rather for its presenter. As well as the guy sounding like he’s about 15 years old, it’s also clear he has very little idea of what a SQL database is or even how Havij actually works. This isn’t a criticism of the kid per se, it’s simply an observation about how accessible tools like Havij are. YouTube is littered with similar examples.

Now keep in mind that Havij is a tool that “helps penetration testers” and indeed ITSecTeam who makes the product is a legitimate security firm. But – and this is a big “but” – do a quick search on YouTube and you won’t find too many videos from penetration testers nor will you find many comments from people with a vocab broader than Ari’s. No, these are kids just looking to smash and grab whatever they can from vulnerable websites.

Of course Havij isn’t the only tool of this kind, products like sqlmap are also extremely popular and in this case, also open source. Unlike Havij it’s purely command line based (probably a bit trickier for a 3 year old who can’t read yet), and also unlike Havij the audience commentating on it via YouTube and other forums is a little more, well, mature.

It’s interesting to look at the modus operandi of how these tools are being used. In this video about How To Use Havij we’re first shown how to unlock the Pro version with a cracked key then how the author has a list of “Dorks” – clearly Google Dorks – with potentially vulnerable URL patterns. This amounts to nothing more than URLs with a query string called “ID”. These guys are simply trawling the internet, pointing Havij at potentially vulnerable URLs and giving it a shot. When it doesn’t work they’ll just move onto the next one.

And that’s the final bit of insight I’ll leave you with; being a target doesn’t mean being a large multinational or supporting a cause that doesn’t sit well with hacktivists nor does it mean presenting some sort of financial upside to those who can break through your security. No, being a target means being on the internet. End of story.

For those looking to protect their applications from SQLi, take a look at the first part of my series on the OWASP Top 10 for .NET developers: Injection.

sql Injection

Published at DZone with permission of Troy Hunt, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Integration: Data, Security, Challenges, and Best Solutions
  • Insight Into Developing Quarkus-Based Microservices
  • How To Generate Code Coverage Report Using JaCoCo-Maven Plugin
  • AWS Cloud Migration: Best Practices and Pitfalls to Avoid

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: