We live in the golden age of data. Some companies analyze it as a better version of themselves, some companies trade for profit, and no company is free to give up because of its value - for their business and criminals.

SQL (Structured Query Language) is a very popular way of communicating with databases. While many new databases use non-SQL syntax, most are still compatible with SQL. This makes SQL a handy tool for anyone who wants to access data, whatever their motivation.

SQL injection (or SQLi) attacks have been around for almost 20 years. They never stop using Imperva's Web Application Firewall (WAF). So we have a wealth of data and experience to share. In this post, we'll share the latest statistics and graphs for thousands of websites protected by Imperva, as well as examples of attacks and ways to protect them.

Common attacks on SQL-based applications

SQL Injection is a code injection technique used to attack applications. Attackers can use tools, scripts or even browsers to insert SQL statements into application fields. These statements are then executed by the database engine. Such attacks are often used to:

1. spoofing identity
2. Tamper with existing data
3. steal data
4. destroy data
5. Change database permissions

The data behind the application is often mission critical, which is why SQL injection attacks are considered very serious.

Statistics from Imperva WAF

Imperva's WAF reduces millions of SQL injection attacks every day on the websites we protect. At least 80% of the websites we protect are attacked every month. Hundreds of our websites face SQLi attacks every day.

Below you can find statistics on the countries, industries and tools used in the attacks we monitor.

 Website Industry Distribution - Since BakerHostetler's 2018 Cybersecurity Report states that it was the industry with the most data breaches, it's interesting, but not surprising, that the most attacked industry is the health industry.

Not shown are the most attacked databases (in decreasing order): Oracle, MySQL, and MangoDB. Meanwhile, the most attacked platforms were WordPress, Drupal, Joomla, and Quest.

Country/region of attacked sites and source of attack - It is not surprising to see that hackers tend to target sites within their own country. Of course, it's possible that it's the exact opposite - these results may reflect hackers using VPNs/proxy with endpoints in the countries they're attacking in order to evade geo-blocking.

SQLi public exploits are heavily used on a daily basis. For example: CVE-2017-8917 and CVE-2015-7858 are both Joomla SQLi public vulnerabilities that are used in the 66,000 events we monitor.

Top Vulnerability Scanners - Since we count events rather than requests, the number of payloads generated by each scanner has no impact. Despite the success of SQLi Dumper, the Joomla scanner is not far behind.

We monitor tens of thousands of offensive IPs every month and use attack analytics to find malicious IPs and guard against them. We gathered some interesting statistics by analyzing attack IPs over the past few months:

 IPs attempting SQLi attacks day in and day out. Blue: Percentage of IPs that attempted SQLi attacks on that day and that day, among IPs that attempted SQLi attacks on that day. Orange: Contains the percentage of requests attempted by SQLi sent by these attacking IPs, contains the total number of requests attempted by SQLi.

Curiously, their requests make up more than 80% of SQLi requests (orange line), even with less than a third of IP attacks per day on average (blue line). This may be due to various vulnerability scanners being scanned. These tools tend to bombard targets for vulnerabilities, which explains the high IP-to-request ratio.

Top attack tools - very versatile and widely used, so it's no surprise that cURL occupies such a prominent place. However, a deeper analysis revealed that most of the suspicious requests sent with cURL were actually post-attack checks, i.e. hackers who were blocked and then used cURL to test if they could still access the site. cURL is followed by Python - the weapon of choice for hackers, and Ruby - the language used to code Metasploit.