Geek Answers Handbook

Detect potential SQL injection attacks as well as other security issues

We all know that it is almost impossible to create a large website without one or two drawbacks. So I wrote a small monitor that checks Apache access logs for potential SQL injection attacks (among other things), and it works very well. I get a warning when someone tries to attack, and I had so few false positives that the default action now is to drop them into the iptables drop-down list. It even helped me identify a few (unsafe) errors and remove them.

Here are my rules (case insensitive):

PathInjection = \./\.\./(bin|boot|data|dev|etc|home|lib|lib64|media|mnt|opt|proc|root|sbin|selinux|srv|sys|tmp|usr|var)/ Havij = 0x31303235343830303536 r3dm0v3 = 0x7233646D3076335F68766A5F696E6A656374696F6E LogicBypass = '.*?(\bor|\band|\bxor|\|\||\&\&).*?-- UnionSelect = union[^az-_]+((all|distinct)[^az-_]+)?select[^az-_]

What would I like to know, how would you get around these checks and still give the right injection? Can you come up with a way to improve them without introducing false positives?



A few notes:

  • Case sensitivity is disabled.
  • I am using MySQL.
  • The Havij and r3dm0v3 entries are used as an exception to prevent the use of these automation tools.
  • I check the strings of both raw and urldecoded.
  • I am not looking for answers like "make more secure code."
  • I'm not looking for another way to do this, just a way to improve my current logic.

EDIT:
Good, so people seem to misunderstand my intention. This is probably my fault, as I have not fully explained. This is requested as an included feature for the monitoring product and is intended to minimize security monitoring. As part of our dialogue with the client and our documentation, we emphasize that this is not neglected and does not replace an appropriate security infrastructure (for example, IDS and firewall). This is simply an information service that will help ensure the detection of major threats and compile statistics on the number of potential attacks. I am not trying to write an IDS or a firewall. If it depended on me, I would leave this function and ask them to install a complete set of security infrastructure with their monitoring systems, but this is not my call. The current situation is that I tested the system on my own site. Right now, I'm just looking for a way to improve regex strings to make this more efficient. Hope this makes things a bit easier.

+8
security sql php regex sql-injection
source share
3 answers

You are talking about writing IDS. If your product is not IDS, just install and install it. Snort is well known and has a free version.

I'm not looking for another way to do this, just a way to improve my current logic.

Sometimes, when it comes to security, the wrong approach is just that. How will I mess with your current logic? Unicode or hexadecimal encoding.

+6
source share

Can you think about how to improve them without introducing false positives?

I would not think about improving this stupid approach. I would better improve site security.

We all know that it is almost impossible to create a large website without one or two drawbacks.

I do not agree with that. At least for SQL injection. The injections are pretty dumb, and protection doesn't really matter.

-one
source share

SQL injection is the most popular application web attack these days. There are a lot of unsafe code on the network, and there are also several ways to protect your application from SQL injection attacks. SQL injection can occur when an application uses input to create dynamic sql statements or when it uses stored procedures to connect to a database. Ways to use SQL injection are classified according to the type of DBMS and operating conditions. A vulnerable request may implement Insert, update, delete. You can enter sql code in any part of the sql query. Blind sql injection. Features of the sql implementation used in various dbms. Successful SQL injection attacks allow attackers to execute commands in the application database and also take over the server. my recommendation:

check google for more ways to protect against SQL injection

-5
source share

More articles:


All Articles