[Owasp-appsensor-project] SQL injection attack

Ryan Barnett ryan.barnett at owasp.org
Sat Feb 11 13:04:51 UTC 2012


On Sat, Feb 11, 2012 at 5:16 AM, Emmanouil Prekas <grad1107 at di.uoa.gr>wrote:

> Hello all
> I have this input :
> station=101 OR 1=1
> When i am checking if it is sql injection command with the command
> boolean
>
> verifyattack=org.owasp.appsensor.AttackDetectorUtils.verifySQLInjectionAttack(station);
> it returned false.
> I think it should return true. I am correct? What the problem is?
> Thank you very much
> M.P.
>
>
Here is the current SQL Injection attack strings from the
appsensor.properties file -

# This collection of strings is the SQL Injection attack pattern
listsql.injection.attack.patterns=\\-\\-,\\;,\\/\\*,\\*\\/,\\@\\@,\\@,nchar,varchar,nvarchar,alter,cursor,delete,drop,exec,fetch,insert,kill,sysobjects,syscolumns

As you can see, the attack payload you showed would not match any patterns
here.

We discussed SQL Injection a bit at the AppSensor Summit last September and
the difference between WAF attack detections (negative security signature
matching) and what AppSensor does.  There is a balance here between
accuracy and detection.  To me, this is a false negative as this is
obviously an attack attempt.  I see two options -

1) Expand the sql.injection.attack.patterns list to include more patterns.
2) Utilize Detection Point RP2 -
https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP2:_Suspicious_External_User_Behavior.
 If you have a ModSecurity WAF in front of an AppSensor host (proxying or
doing mod_ajp) you can have ModSecurity export its attack detection alerts
and add them into the request as new request headers.  We call this
"Request Header Tagging" -
http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-request-header-tagging.html

-Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20120211/9646d2bf/attachment.html>


More information about the Owasp-appsensor-project mailing list