[Owasp-appsensor-project] SQL injection attack

John Melton jtmelton at gmail.com
Sat Feb 11 15:09:56 UTC 2012


Agreed - this is a false negative. The sqli regex is far from
complete, and is just a proof of concept at the moment, although it
does detect certain things. It'll be an area that should get some love
on the next release hopefully.

On Sat, Feb 11, 2012 at 8:04 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>
> On Sat, Feb 11, 2012 at 5:16 AM, Emmanouil Prekas <grad1107 at di.uoa.gr>
> wrote:
>>
>> Hello all
>> I have this input :
>> station=101 OR 1=1
>> When i am checking if it is sql injection command with the command
>> boolean
>>
>> verifyattack=org.owasp.appsensor.AttackDetectorUtils.verifySQLInjectionAttack(station);
>> it returned false.
>> I think it should return true. I am correct? What the problem is?
>> Thank you very much
>> M.P.
>>
>
> Here is the current SQL Injection attack strings from the
> appsensor.properties file -
>
> # This collection of strings is the SQL Injection attack pattern list
> sql.injection.attack.patterns=\\-\\-,\\;,\\/\\*,\\*\\/,\\@\\@,\\@,nchar,varchar,nvarchar,alter,cursor,delete,drop,exec,fetch,insert,kill,sysobjects,syscolumns
>
> As you can see, the attack payload you showed would not match any patterns
> here.
>
> We discussed SQL Injection a bit at the AppSensor Summit last September and
> the difference between WAF attack detections (negative security signature
> matching) and what AppSensor does.  There is a balance here between accuracy
> and detection.  To me, this is a false negative as this is obviously an
> attack attempt.  I see two options -
>
> 1) Expand the sql.injection.attack.patterns list to include more patterns.
> 2) Utilize Detection Point RP2
>https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP2:_Suspicious_External_User_Behavior.
>  If you have a ModSecurity WAF in front of an AppSensor host (proxying or
> doing mod_ajp) you can have ModSecurity export its attack detection alerts
> and add them into the request as new request headers.  We call this "Request
> Header Tagging"
>http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-request-header-tagging.html
>
> -Ryan
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>


More information about the Owasp-appsensor-project mailing list