All geek questions in one place

Non-software SQL injection protection

I agree that proper input validation is the only “flawless” way to prevent SQL Injection, but modifying it requires a lot of code in existing applications, and restructuring may require a poorly designed application.

Academic interest in automatic SQL Injection prevention mechanisms (will not include them here, I did a literature review and saw at least 20), but I did not see anything that was actually implemented.

Does anyone know any framework that is actually used outside the academic environment, or a signature based on an anomaly, or otherwise?

Change I am looking for something that does not change the code base.

+4
source share
4 answers

The company I work with uses the Barracuda Web Application Firewall , which you are talking about. From what I saw, it works quite well. Basically, if it detects suspicious input, it redirects the user to the page of our choice. This allows you to place a layer between the Internet and your applications and does not require any code change.

However, it is a bad idea not to protect your applications.

+8
source

If you are not going to change your code, you can only intercept requests. Since there is no such thing as a good or bad SQL command, you are quite limited in settings, but you can try to reject several queries that are initiated from one line. In other words:

LEGAL

SELECT * FROM foo WHERE bar='baz';

ILLEGAL

 SELECT * FROM foo WHERE bar=''; DELETE * FROM foo; SELECT 'baz';

Since almost every injection for injection requires several requests in one request and provided that your application does not require this feature, you can just get away from it. It probably won’t catch every type of attack (you may have a lot of damage that you can use with subqueries and functions), but it’s probably better than nothing.

+3
source

The only way to leave the code unaffected when fixing vulnerabilities like SQL Injection is to use a web application firewall, such as the open source project mod_security . Oracle recently released a database firewall that filters nasty queries. This approach is better suited to solve the SQL Injection problem, but all that it can solve.

WAFs are very useful and free if you do not believe that you put it to the test .

WAF is just one layer. You should also check the application * under it. This is an in-depth protection approach.

* This is a service that I sell with a limited free offer.

+1
source

The default behavior with PreparedStatements in Java in which you pass each parameter makes it mostly reliable because the infrastructure avoids the input for you. It does not stop you from doing something like

exec spDoStuff <var>

where spDoStuff does:

exec (<var>)

But if you use regular queries, this is very effective. I don’t know if you consider it to be non-software, but the developer does not need to write code to control input verification.

Like this:

 int id; String desc; Connection conn = dataSource.getConnection(); PreparedStatement ps = conn.prepareStatement("SELECT * FROM table1 t1 WHERE t1.id = ? AND t2.description = ?"); // or conn.prepareStatement("EXEC spMyProcedure ?, ?"); ps.setInt(1, id); ps.setString(2, desc); ResultSet rs = ps.executeQuery(); ... rs.close(); ps.close(); conn.close();
+1
source

Source: https://habr.com/ru/post/1339447/

More articles:


All Articles