Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0224: Havij

Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [1]

EnterpriseS0224ToolObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Havij matters because it packages SQL injection activity into an automated tool that can be used by both legitimate penetration testers and adversaries. For leaders, the practical issue is not the tool name itself, but whether Internet-facing applications and SQL-backed services can withstand automated probing and exploitation attempts, and whether the organization can prove that web application logging, vulnerability remediation, and incident response processes would catch and contain this behavior.

Executive priority

Treat this as a public-facing application risk and evidence question: which business-critical web applications are exposed, how quickly are SQL injection weaknesses and misconfigurations found and fixed, and can the SOC distinguish authorized testing from suspicious automated activity? Because ATT&CK links Havij to Exploit Public-Facing Application for initial access, this should inform vulnerability management priorities, application security assurance, compliance evidence for secure development and monitoring, and incident decision-making around exposed systems.

Technical view

ATT&CK provides no official detection text, platforms, or tactics for Havij itself, but it does identify the tool as an automatic SQL injection tool and relates it to T1190 Exploit Public-Facing Application. SOC and IR teams should validate visibility around Internet-facing web applications, database-facing application behavior, and authorized penetration testing windows. Detection engineering should focus on evidence of automated SQL injection attempts against public-facing services while avoiding simplistic blocking on a tool name, since the object description supports use by both penetration testers and adversaries.

Likely telemetry

  • Web server and reverse proxy access logs for Internet-facing applications
  • Web application firewall or application security gateway events, if deployed
  • Application error logs showing database query failures or input handling exceptions
  • Database logs and authentication/query audit records where available
  • Network security telemetry for inbound requests to public-facing services

Detection direction

  • Validate that logging exists for public-facing applications most likely to expose SQL-backed functionality.
  • Tune detections for patterns of automated SQL injection probing and unusual request volume, while accounting for authorized penetration tests because Havij is described as used by penetration testers and adversaries.
  • Correlate web request telemetry with application errors, database anomalies, and source context rather than relying on a single signature or tool label.
  • Use the relationship to T1190 to prioritize detections around initial access attempts against Internet-facing hosts, applications, and services.
  • Check blind spots in unmanaged web applications, legacy sites, externally hosted applications, and cloud or IaaS-exposed services where central SOC telemetry may be incomplete.

Mitigation priorities

  • Inventory Internet-facing applications and identify those with SQL-backed functionality or database access paths.
  • Prioritize remediation of SQL injection weaknesses and related public-facing application misconfigurations through vulnerability management and application security programs.
  • Ensure secure development, input validation, and testing practices are evidenced for business-critical applications.
  • Maintain monitoring on public-facing application tiers and preserve logs needed for incident response.
  • Create a process to pre-authorize and tag penetration testing activity so automated SQL injection testing does not create unnecessary incident confusion.
Analyst notes and limits

The supplied ATT&CK object is a tool entry, not a full technique definition. The strongest relationship-driven context is that Havij uses T1190 Exploit Public-Facing Application, and the official description identifies it as an automatic SQL injection tool. Ajax Security Team is listed as a group that uses this object, but this take avoids inferring current activity or broad attribution beyond the supplied relationship.

Official detection, platforms, tactics, aliases, and labels are not provided for Havij. Local conclusions require the organization’s own asset inventory, application architecture, logging coverage, penetration testing records, and vulnerability data. The supplied relationship context does not establish current exploitation, customer exposure, or guaranteed detection methods.

Official MITRE ATT&CK definition

Havij

Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1190 Exploit Public-Facing Application

Havij is used to automate SQL injection.CitationCheck Point Havij Analysis
Associated objects

Groups, software, and campaigns

Group Enterprise

G0130: Ajax Security Team

Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.[1]

Relationship explorer

All related ATT&CK context

uses · Group G0130: Ajax Security Team Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
eed0cb8c93fc589f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle eed0cb8c93fc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Check Point Havij Analysis

    Ganani, M. (2015, May 14). Analysis of the Havij SQL Injection tool. Retrieved March 19, 2018.

    Open source URL
  2. [2]
    mitre-attack S0224
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use