Detecting potential SQL injection attacks, as well as other security issues

Question

We all know it is nearly impossible to produce a large website without one or two flaws. As such I've written a small monitor that checks Apache access logs for potential SQL injection attacks (amongst other things), and it's working very well. I get an alert whenever someone attempts an attack, and I've had so few false positives that the default action is now to dump them into an iptables drop list. It's even helped me identify a few (non-security) bugs and remove them.

Here's my rules (case insensitive):

PathInjection = \./\.\./(bin|boot|data|dev|etc|home|lib|lib64|media|mnt|opt|proc|root|sbin|selinux|srv|sys|tmp|usr|var)/

Havij = 0x31303235343830303536

r3dm0v3 = 0x7233646D3076335F68766A5F696E6A656374696F6E

LogicBypass = '.*?(\bor|\band|\bxor|\|\||\&\&).*?--

UnionSelect = union[^a-z-_]+((all|distinct)[^a-z-_]+)?select[^a-z-_]

What I'd like to know is, how would you bypass these checks and still produce a valid injection? Can you think of a way to improve them without introducing false positives?

A few notes:

Case sensitivity is switched off.
I'm using MySQL.
The Havij and r3dm0v3 entries are used as a catch-all to prevent use of those automation tools.
I'm checking both raw and urldecoded strings.
I'm not looking for answers like "make more secure code instead".
I'm not looking for a different way to do this, just a way to improve my current logic.

EDIT:
Ok, so people seem to have misunderstood my intent. That's probably my fault, since I didn't fully explain. This is being requested as a tacked-on feature to a monitoring product, and is designed to offer minimal security monitoring. As part of our dialog with the client and our documentation, we're emphasising that this is not a catch-all, nor is it a replacement for proper security infrastructure (e.g. an IDS and firewall). It's simply an informational service to help provide basic threat detection and produce statistics about the number of potential attacks. I'm not trying to write an IDS or firewall. If it were up to me, I'd leave the feature out and tell them to go install a full suite of security infrastructure with its own monitoring systems, but this isn't my call. The current situation is that I've been testing the system on my own site. Right now, I'm just looking for a way to improve the regex strings to make this more effective. Hopefully this clears things up a little.

Edit again, in June 2021.

I posted this question back in 2011. Back when I wrote it I was a junior developer with an interest in security but lacking experience. Since then I've switched careers to security, worked as a pentester for 5 years, and a security researcher for another two. I'm also one of the top reputation users on Security StackExchange.

The answers given here are mostly correct - there's far more value in deploying something like ModSecurity with appropriate rules, since they've already done the work. A tacked on homebrew solution is not going to compare to a project with almost two decades of maturity.

The one major caveat, though, is that I was not making the decisions. Junior developers usually have neither the privilege nor latitude to veto product decisions made by management, especially those made at the request of a customer. One can certainly explain why an idea is bad, and provide supporting material, but that often doesn't translate into changed decisions. Being able to refuse a task from your employer without consequence is an unusual privilege - the concept is a complete fantasy in the context of most employment.

My advice for folks who respond to these types of question is this: explain why it is ill-advised, but be sympathetic and helpful to those who are in a difficult position. Actually answer the question, wherever possible, so that a best-effort solution can be implemented if all else fails. In the context of security features, it's also worth considering that if the alternative is no protection or detection at all - even if that alternative is artificially being imposed by external actors - a weak capability is almost always better than no capability at all.

I don't remember what I ended up implementing for this. It was so long ago. But if you're here now, looking for answers, I recommend using ModSecurity. They now have connectors for Apache, nginx, and IIS, so you can install it on any of those web servers. If changing the server configuration is problematic, you could instead run nginx as a reverse proxy with ModSecurity enabled, so that users hit the nginx server and it proxies the requests to your actual web server. This can also be done with Apache instead.

If you're looking for a more programmatic approach, ModSecurity has language bindings for C, C++, and Python. The ModSecurity API can also be consumed via any language that has interoperability support for C APIs (e.g. P/Invoke in .NET, or JNI in Java).

ModSecurity works on rules. One of the best free rule sets out there is OWASP Core Rule Set (CRS). The rules are significantly more powerful than simple regex patterns. This makes them very effective, but it also means that you probably shouldn't try to build your own ModSecurity-like internal feature that consumes the rules, because you'd need to put in a ton of work to support all the necessary features.

If you need to parse ModSecurity logs into a format that can be automated upon, take a look at ModSecurity Log Utilities.

Hopefull this info is of use to someone in future.

what about other database keywords like DELETE, UPDATE, ALTER, CREATE... — Randy, Oct 11 '11 at 16:34
Look at the `mod_security` CoreRules. They have mostly perfected that blacklisting approach. (Also: lazy people just use bound parameters and stop worrying.) — mario, Oct 11 '11 at 16:37
I don't know what types of resources you have at your disposal, but if this is for a high priority/highly sensitive website, you might consider simply purchasing a Web Application Firewall (as opposed to a standard firewall). This is, in essence what you're trying to write, and even companies dedicated to this have to constantly play "catch-up" as new threats emerge. https://www.owasp.org/index.php/Web_Application_Firewall - and a side note that even a professional product isn't perfect. We've had attacks get past the one we use and get caught by our .NET code. — David, Oct 11 '11 at 16:37
what's this? where are you entering this? - and @Randy: Seconded. — M. Suleiman, Oct 11 '11 at 16:37
@Randy - You can't inject those into existing MySQL queries without the construction logic being _SERIOUSLY_ bad. For example, you couldn't do UNION DELETE. It's just not useful to detect such a thing in my case. — Polynomial, Oct 11 '11 at 16:38
@DavidStratton - Not what I want to do, nor am I in a position to purchase (or install) a WAF system. I'm just looking to improve my logic. — Polynomial, Oct 11 '11 at 16:40
Why spend all this effort on something that you are unable to ensure that all possibilities are captured? Would that effort be better spent on code reviews/testing to ensure that the software is written correctly? — Ed Heal, Oct 11 '11 at 16:50
Possible duplicate: [Best way to stop SQL Injection in PHP](http://stackoverflow.com/q/60174/693207) — Jürgen Thelen, Oct 11 '11 at 17:54
@JürgenThelen: The two questions aren't even close. The linked question is about avoiding injection in dynamic SQL, this question is about detecting previous injections attacks by examining log files. — Larry Lustig, Oct 11 '11 at 18:06
@Polynomial your logic can't be improved, it is deeply, inherently flawed - simply by trying to implement this yourself. Don't reinvent the wheel, don't implement a security mechanism without security expertise, don't rely on blacklists, and OWASP Top 10 are some basic security principles that you are violating. By the by, you'd be better off trying on [Security.se], but you'd get the same answer - unless you're asking for e.g. educational purposes. — AviD, Oct 11 '11 at 18:25
Updated the question. Also, I've added `/\*.*?\*/` to my filtering, so it doesn't get tricked by `UNI\*123*\ON SEL\*456*\ECT`. — Polynomial, Oct 12 '11 at 08:23

score 6 · Accepted Answer · answered Oct 11 '11 at 17:49

6

You're talking about writing an IDS. Unless your product is an IDS, just get and install one. Snort is well-known and has a free version.

I'm not looking for a different way to do this, just a way to improve my current logic.

Sometimes when it comes to security, the wrong approach simply is. How would I mess with your current logic? Unicode or hex encoding.

answered Oct 11 '11 at 17:49

Jeff Ferland

17,832
7
46
76

1

+1, in addition other encodings can also wreak havoc, to begin with. – AviD Oct 11 '11 at 18:18
1

Some things that your rules would really mess up: "Chicken or beef -- who can decide?" – Jeff Ferland Oct 11 '11 at 18:21
@JeffFerland - Not only does that not match the regex I provided, it's not even valid as part of a URL. – Polynomial Oct 12 '11 at 07:39
Also, I'm checking both the raw and urldecoded strings. Perhaps I should've been clearer to my intent. This is currently implemented only on my site, but it's being put into a monitoring product. The idea is to give a warning when someone has attempted an attack. It's a tacked-on feature to offer minimal security monitoring, and isn't designed to replace an IDS or firewall. I'll edit to reflect this. – Polynomial Oct 12 '11 at 07:43

score 0 · Answer 2 · answered Jun 02 '21 at 06:44

0

Here is a nice example of IT threat detection using deep-neural-network vector embedding and a similarity search engine.

answered Jun 02 '21 at 06:44

Ron

56
2

score -1 · Answer 3 · answered Oct 12 '11 at 09:02

Can you think of a way to improve them without introducing false positives?

I wouldn't think of improving this silly approach at all. I'd rather improve the site security itself.

We all know it is nearly impossible to produce a large website without one or two flaws.

I disagree with that. At least for SQL injections. Injections are quite silly thing and protection is not a big deal.

score -5 · Answer 4 · edited Dec 25 '12 at 14:07

sql injection is top rated web Application attack these days. There are many insecure code over the net and also there are several ways to protect application from sql injection attacks. sql injection can occur when an application uses input to construct dynamic sql statements or when it uses stored procedures to connect to the database. Methods of sql injection exploitation are classified according to the DBMS type and exploitation conditions Vulnerable request can implement Insert, update, delete. It is possible to inject sql code into any part of sql request Blind sql injection Features of sql implementations used in various dbms. Successful sql injection attacks enable attackers to execute commands in an application's database and also take over the server. my recommendation:

Basically, make sure your web server is up-to-date with latest security fixes/patches.
Make sure you have filter every user input and output as proper encoding like UTF-8. Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
try tom imlement web application scanner , check this link http://trac.ush.it/ush/wiki/SecurityTools
I do ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/ to scan all my web application

check google more how to protect against sql injection

Microsft http://msdn.microsoft.com/en-us/library/ms998271.aspx
http://www.sans.org/ "sql injection"
WASC: http://projects.webappsec.org/SQL-Injection
OWASP: http://www.owasp.org/index.php/SQL_Injection
CodeProject http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Not what I was asking for. I understand SQL injections perfectly, and I know about penetration testing and security analysis. Please read the question again. — Polynomial, Oct 12 '11 at 08:08

Detecting potential SQL injection attacks, as well as other security issues

4 Answers4