[Owasp-appsensor-project] SQL injection attack
ryan.barnett at owasp.org
Sat Feb 11 13:04:51 UTC 2012
On Sat, Feb 11, 2012 at 5:16 AM, Emmanouil Prekas <grad1107 at di.uoa.gr>wrote:
> Hello all
> I have this input :
> station=101 OR 1=1
> When i am checking if it is sql injection command with the command
> it returned false.
> I think it should return true. I am correct? What the problem is?
> Thank you very much
Here is the current SQL Injection attack strings from the
appsensor.properties file -
# This collection of strings is the SQL Injection attack pattern
As you can see, the attack payload you showed would not match any patterns
We discussed SQL Injection a bit at the AppSensor Summit last September and
the difference between WAF attack detections (negative security signature
matching) and what AppSensor does. There is a balance here between
accuracy and detection. To me, this is a false negative as this is
obviously an attack attempt. I see two options -
1) Expand the sql.injection.attack.patterns list to include more patterns.
2) Utilize Detection Point RP2 -
If you have a ModSecurity WAF in front of an AppSensor host (proxying or
doing mod_ajp) you can have ModSecurity export its attack detection alerts
and add them into the request as new request headers. We call this
"Request Header Tagging" -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-appsensor-project