[Owasp-appsensor-project] SQL injection attack
ryan.barnett at owasp.org
Sat Feb 11 15:44:01 UTC 2012
We should collaborate. I am thinking of creating an "Attack Payload Database" project where we can develop vetted payloads for various attack types (SQLi, XSS, Directory Traversal, etc...). We already have a bunch of these in the OWASP ModSecurity CRS, but that is implementation specific. I think we need to abstract out the signature/patterns themselves for use in other applications.
For instance, Varnish uses the CRS payloads -
Also, Akamia's WAF service uses it too.
I am thinking that we need a central repo in XML or something that describes what to look for and optionally where to look for it (param payloads, cookies, etc...).
If we can get a good format that is easily parsable (ModSecurity's rules language is not) it could more easily be consumed by other apps.
On Feb 11, 2012, at 10:09 AM, John Melton <jtmelton at gmail.com> wrote:
> Agreed - this is a false negative. The sqli regex is far from
> complete, and is just a proof of concept at the moment, although it
> does detect certain things. It'll be an area that should get some love
> on the next release hopefully.
> On Sat, Feb 11, 2012 at 8:04 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> On Sat, Feb 11, 2012 at 5:16 AM, Emmanouil Prekas <grad1107 at di.uoa.gr>
>>> Hello all
>>> I have this input :
>>> station=101 OR 1=1
>>> When i am checking if it is sql injection command with the command
>>> it returned false.
>>> I think it should return true. I am correct? What the problem is?
>>> Thank you very much
>> Here is the current SQL Injection attack strings from the
>> appsensor.properties file -
>> # This collection of strings is the SQL Injection attack pattern list
>> As you can see, the attack payload you showed would not match any patterns
>> We discussed SQL Injection a bit at the AppSensor Summit last September and
>> the difference between WAF attack detections (negative security signature
>> matching) and what AppSensor does. There is a balance here between accuracy
>> and detection. To me, this is a false negative as this is obviously an
>> attack attempt. I see two options -
>> 1) Expand the sql.injection.attack.patterns list to include more patterns.
>> 2) Utilize Detection Point RP2
>> - https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP2:_Suspicious_External_User_Behavior.
>> If you have a ModSecurity WAF in front of an AppSensor host (proxying or
>> doing mod_ajp) you can have ModSecurity export its attack detection alerts
>> and add them into the request as new request headers. We call this "Request
>> Header Tagging"
>> - http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-request-header-tagging.html
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
More information about the Owasp-appsensor-project