[Webappsec] Automatically detecting injections

nnp version5 at gmail.com
Sun Apr 27 12:59:04 EDT 2008 

On Sun, Apr 27, 2008 at 3:48 PM, Jeff Williams <jeff.williams at owasp.org> wrote:
> <disclaimer>I'm not crazy about using fuzzing to detect SQL injection. There
>  is absolutely no reason that the website would have to give any indication
>  that an injection was successful. More importantly, it is *way* faster and
>  more accurate to look at the source code and verify the use of parameterized
>  queries.</disclaimer>

Valid concerns. That said, I would imagine a decent fuzzer will always
be faster than the best of source code auditors to identify whatever
types of bugs it is targetting. Obviously there are disadvantages and
downsides to fuzzing that need to be kept in mind and you can miss
bugs, have false positives etc etc. Even if your detection mechanisms
are a little hazy and result in limited false positives, fuzzing can
still be a great help in helping find areas of potential interest
though.

It is the same when network/file fuzzing (or using any tool that
attempts to automate part of an audit). There are trade offs and
limitations but fuzzing has shown positive dividends in the past and I
usually find the effort put into building a fuzzer is rewarded. The
key word there is _effort_ - obviously a poor fuzzer isnt worth it.

>
>  That said, I would try to generalize and extend your list a bit. For
>  example, instead of searching for "java.sql.SQLException: Syntax error or
>  access violation", I would just flag on "SQLException" which should never
>  show up in a legitimate page.  Same with "mysql", "xpath", and other strings
>  which are unlikely to show up.

Noted.

>
>  I would also try to add ALL the Java SQL exceptions. BatchUpdateException,
>  DataTruncation, SQLException, SQLWarning. You might want to extend to all
>  Java exceptions depending on the signal/noise ratio you're targeting.  You
>  could do the same with all the platforms.

Good point. I'm sure its obvious but web application security is
rather new to me so I'm sure I'm going to miss out on some things
and/or make some incorrect assumptions. Thanks for the feedback
though. When I'm done patching wapiti I'll upload the patch somewhere
if anyone is interested. (Could be a few weeks though as this is more
of a side project/experiment)

Cheers,
nnp

-- 
http://www.smashthestack.org
http://www.unprotectedhex.com

More information about the Webappsec mailing list