[Owasp-appsensor-project] SQL injection attack

Ryan Barnett ryan.barnett at owasp.org
Sat Feb 11 15:44:01 UTC 2012


We should collaborate. I am thinking of creating an "Attack Payload Database" project where we can develop vetted payloads for various attack types (SQLi, XSS, Directory Traversal, etc...). We already have a bunch of these in the OWASP ModSecurity CRS, but that is implementation specific. I think we need to abstract out the signature/patterns themselves for use in other applications. 

For instance, Varnish uses the CRS payloads -
https://github.com/comotion/security.vcl/tree/master/vcl/breach

Also, Akamia's WAF service uses it too. 

I am thinking that we need a central repo in XML or something that describes what to look for and optionally where to look for it (param payloads, cookies, etc...). 

If we can get a good format that is easily parsable (ModSecurity's rules language is not) it could more easily be consumed by other apps. 

Thoughts?

Ryan

On Feb 11, 2012, at 10:09 AM, John Melton <jtmelton at gmail.com> wrote:

> Agreed - this is a false negative. The sqli regex is far from
> complete, and is just a proof of concept at the moment, although it
> does detect certain things. It'll be an area that should get some love
> on the next release hopefully.
> 
> On Sat, Feb 11, 2012 at 8:04 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> 
>> On Sat, Feb 11, 2012 at 5:16 AM, Emmanouil Prekas <grad1107 at di.uoa.gr>
>> wrote:
>>> 
>>> Hello all
>>> I have this input :
>>> station=101 OR 1=1
>>> When i am checking if it is sql injection command with the command
>>> boolean
>>> 
>>> verifyattack=org.owasp.appsensor.AttackDetectorUtils.verifySQLInjectionAttack(station);
>>> it returned false.
>>> I think it should return true. I am correct? What the problem is?
>>> Thank you very much
>>> M.P.
>>> 
>> 
>> Here is the current SQL Injection attack strings from the
>> appsensor.properties file -
>> 
>> # This collection of strings is the SQL Injection attack pattern list
>> sql.injection.attack.patterns=\\-\\-,\\;,\\/\\*,\\*\\/,\\@\\@,\\@,nchar,varchar,nvarchar,alter,cursor,delete,drop,exec,fetch,insert,kill,sysobjects,syscolumns
>> 
>> As you can see, the attack payload you showed would not match any patterns
>> here.
>> 
>> We discussed SQL Injection a bit at the AppSensor Summit last September and
>> the difference between WAF attack detections (negative security signature
>> matching) and what AppSensor does.  There is a balance here between accuracy
>> and detection.  To me, this is a false negative as this is obviously an
>> attack attempt.  I see two options -
>> 
>> 1) Expand the sql.injection.attack.patterns list to include more patterns.
>> 2) Utilize Detection Point RP2
>> - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP2:_Suspicious_External_User_Behavior.
>>  If you have a ModSecurity WAF in front of an AppSensor host (proxying or
>> doing mod_ajp) you can have ModSecurity export its attack detection alerts
>> and add them into the request as new request headers.  We call this "Request
>> Header Tagging"
>> - http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-request-header-tagging.html
>> 
>> -Ryan
>> 
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> 


More information about the Owasp-appsensor-project mailing list