[Owasp-leaders] Detecting SQL Injection at SQL Server level

Dinis Cruz dinis.cruz at owasp.org
Tue Nov 3 11:17:24 UTC 2015


Thanks Sven, that is a really cool approach (and one close to my SAST
heart), the prob in this case is performance.

To give you an idea, our DBA enabled 'query logging' in one of our SQL
Servers for 1 minute and he had 700k queries

In fact it took a LOT longer to save those 700 thousand queries than to
capture them.

Yes a lot of them should be pre-compiled and cached, but I don't think we
will be able to create and process the AST without a major performance
impact

Dinis

On 1 November 2015 at 13:29, Sven Vetsch <sven.vetsch at owasp.org> wrote:

> Hi Dinis
> The following is not based on errors but rather the structure of a query
> and might also be of interest to you:
>
> http://www.slideshare.net/hashdays/hashdays-2011-christian-bockermann-protecting-databases-with-trees
>
> PS: The cool stuff starts at slide 63 :)
>
> Regards,
> Sven
>
> --
>
> Sven Vetsch
>
> Leader OWASP Switzerland
>
> https://www.owasp.ch
>
> https://www.twitter.com/OWASP_ch
>
>
>
> On Thu, Oct 29, 2015 at 4:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>
>> Hi, anybody here has experience on detecting SQL injection on an
>> high-volume SQL Server by looking at the SQL Queries errors?
>>
>> I know some guys (like ETSY) are doing this, but when I was talking with
>> the DBAs today they couldn't find an easy way to do it at the SQL server.
>>
>> The logic is that there should be no SQL compilation errors in the
>> Production SQL server, so any errors that occur should either be:
>>
>> a) a nasty bug
>> b) an SQL Injection being triggered by accident
>> c) an SQL Injection attack
>>
>> Since it is really hard for an attacker to perform an SQL Injection
>> without triggering an SQL Error ONCE, monitoring for SQL errors is a great
>> way to proactively detect attacks (which is what Dan and Zane talk about in
>> this video https://www.youtube.com/watch?v=jQblKuMuS0Y)
>>
>> Ideally this should be detected at SQL Server level since that will make
>> sure that all possible scenarios are covered. The alternative is to try to
>> detect it via AppDynamics, or on the server logs, or at the Java code
>> (which will require code changes).
>>
>> Dinis
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151103/ef3a83c0/attachment.html>


More information about the OWASP-Leaders mailing list