[Owasp-leaders] Detecting SQL Injection at SQL Server level

Timo Goosen timo.goosen at owasp.org
Mon Nov 2 07:35:12 UTC 2015


I would suggest that you structure your network in such a way that your SQL
server has to make use of an HTTP Proxy that requires authentication in
order to connect to the public internet. Also force it to use an internal
DNS server, then monitor that DNS server logs to see if someone is trying
to exfiltrate your data over DNS.

Also see if you can disable any functions that could help an attacker such
as WAIT FOR DELAY on MS SQL Server.

I highly reccomend that you read the Database Hacker's Handbook.

Regards.
Timo




On Thu, Oct 29, 2015 at 10:33 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Hi, anybody here has experience on detecting SQL injection on an
> high-volume SQL Server by looking at the SQL Queries errors?
>
> I know some guys (like ETSY) are doing this, but when I was talking with
> the DBAs today they couldn't find an easy way to do it at the SQL server.
>
> The logic is that there should be no SQL compilation errors in the
> Production SQL server, so any errors that occur should either be:
>
> a) a nasty bug
> b) an SQL Injection being triggered by accident
> c) an SQL Injection attack
>
> Since it is really hard for an attacker to perform an SQL Injection
> without triggering an SQL Error ONCE, monitoring for SQL errors is a great
> way to proactively detect attacks (which is what Dan and Zane talk about in
> this video https://www.youtube.com/watch?v=jQblKuMuS0Y)
>
> Ideally this should be detected at SQL Server level since that will make
> sure that all possible scenarios are covered. The alternative is to try to
> detect it via AppDynamics, or on the server logs, or at the Java code
> (which will require code changes).
>
> Dinis
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151102/ff53f5df/attachment.html>


More information about the OWASP-Leaders mailing list