[Owasp-cincinnati] Meeting Follow Up:SQL Injection Attacks And FilterEvasion Techniques

Marco M. Morana marco.m.morana at gmail.com
Sat Feb 28 12:25:39 EST 2009


In one of the use cases that was shown during the last meeting, the attacker will split the SQL injection attack vector to by-pass IDS filter signatures.

Bypass techniques can be changing an attack vectors to evade the signature checked by the IDS.
For example in the case of  SQL attack vector, http://[site]/page.jsp?id=2or1=1-- changing = to "like" in the signature
it will becomes http://[site]/page.jsp?id=2or1like1-- or by inserting comments http://[site]/page.jsp?id=2/**/or/**/1/**/like/**/1/**--

Other techniques include encoding (like for XSS), using char(), using white spaces
Some of the techniques for by pass filters (including IDS signatures) as well as the linked server attacks being presented are covered by Victor Chapela OWASP paper herein:
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

In general IDS evation techniques are documented herein
http://insecure.org/stf/secnet_ids/secnet_ids.html

a tool such as nmap can also do a test of your IDS actually can be bypassed
http://nmap.org/book/man-bypass-firewalls-ids.html

Regards

Marco

OWASP Chapter Lead

Writing Secure Software Blogger

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20090228/15dca90b/attachment.html 


More information about the Owasp-cincinnati mailing list