[Owasp-appsensor-project] SQL injection attack

Ryan Barnett ryan.barnett at owasp.org
Sat Feb 11 13:04:51 UTC 2012

On Sat, Feb 11, 2012 at 5:16 AM, Emmanouil Prekas <grad1107 at di.uoa.gr>wrote:

> Hello all
> I have this input :
> station=101 OR 1=1
> When i am checking if it is sql injection command with the command
> boolean
> verifyattack=org.owasp.appsensor.AttackDetectorUtils.verifySQLInjectionAttack(station);
> it returned false.
> I think it should return true. I am correct? What the problem is?
> Thank you very much
> M.P.
Here is the current SQL Injection attack strings from the
appsensor.properties file -

# This collection of strings is the SQL Injection attack pattern

As you can see, the attack payload you showed would not match any patterns

We discussed SQL Injection a bit at the AppSensor Summit last September and
the difference between WAF attack detections (negative security signature
matching) and what AppSensor does.  There is a balance here between
accuracy and detection.  To me, this is a false negative as this is
obviously an attack attempt.  I see two options -

1) Expand the sql.injection.attack.patterns list to include more patterns.
2) Utilize Detection Point RP2 -
 If you have a ModSecurity WAF in front of an AppSensor host (proxying or
doing mod_ajp) you can have ModSecurity export its attack detection alerts
and add them into the request as new request headers.  We call this
"Request Header Tagging" -

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20120211/9646d2bf/attachment.html>

More information about the Owasp-appsensor-project mailing list