Home page logo

basics logo Security Basics mailing list archives

Re: Slow down blind SQL injection
From: Tiago Batista <tiagosbatista () gmail com>
Date: Wed, 10 Oct 2007 05:13:03 +0100

Thank you all for your input, this cleared my head about the subject.

I do agree that artificially slowing down the user is not a good idea,
but I was more interested on watching the result of the tristate answer
(yes/no/slow down) would have on the tools of the trade. I guess, I
better get some time and set up a testbed :)

As Francois pointed out, the tool has lots of time!

Again, thank you all for your input


On Tue, 9 Oct 2007 23:51:56 -0400
Simon <simon.xhz () gmail com> wrote:

  I think it is bad to use the "timing" information of requests to
start counter-attacks (such as slowing down, or sending a message to
the user, etc).  But it could be useful to log such thing or popup an
alert to a human operator.  The alert would say something like
"User1234 session start 3 min ago; delay between requests <1second
(0.343sec); alarm #4 for this user"

If it happens once, you can assume the user is a real human, if it
happens lots you can assume there might be automation tools involved.

Moving fast through HTML forms is not to be considered harmful in any
case, it is most certainly convenient for the user!


On 10/9/07, Francois Larouche
<francois.larouche-ml () sqlpowerinjector com> wrote:

I completely agree with Shulman, a user especially if it's an
important one (director and above, or worst a important customer)
won't look at this "special protection" feature that impedes on the
normal process of the application with a good eye. Time is money.
And in the other hand a automated tool won't care about that delay
anyways. I know that my tool doesn't care about time delay, I can
just start it and go work on something else and just be patient. If
it takes 2 hours to get the admin credentials instead of 15
minutes? Who cares, I still got it, no? :) And even better, now the
network administrator won't be alarmed by a cluster of crazy number
of requests made about the same time.

In any cases, by personal experience most of the time if there is a
spot with blind sql injection then the chances are high that
somewhere else there is a place where you can reflect data in much
fastest way. (with UNION or in an sql genered error reflected by
the webpage such as or 1 in (SELECT user)) So it defeats all the
efforts you put in, and only succeeded to eventually reduce the
user experience.

It's good that you try to find solutions but just beware to not
make the security solution more important than the business. My
personal advice is try to find a solution that will be as
transparent as possible to the user.



I believe this solution is a bit problematic.
Cosider a scenario of a user not remembering the right username or
password, and retyping several times or a user that is not
familiar with a keyboard and inserting typos unintentionally.
Your suggestion is to mistakenly interpret such user as an
attacker performing SQL Injection queries?

In addition an attacker that is determined to hack your site will
tolerate the "slow down" however the user will not tolerate those.

I do not see how much you can profit out of this solution and if
you happen to think of a different alternative please update
(sounds like a good research idea).

Best Regards,

From: Tiago Batista <tiagosbatista () gmail com>
To: security-basics () securityfocus com
Subject: Slow down blind SQL injection
Date: Wed, 3 Oct 2007 04:11:30 +0100

Hello all

Today I was barainstorming and came up with an idea that my help
slow down blind sql injection on a web application.

I remembered that usually a user will read a page before
subbmiting a new query, and that takes time, so why not keep a
timestamp on the user session and enforce some time between

I did not search to find out if some applications out there are
using this, but I would like your input on the folowig:

1. depending on the timestamp, do you think the users will be
very anoyed at some error asking them to try again in a few

2. given that most automated SQL injectors deped on a boolean
result form the query, and this ends up serving a thrid page,
how much will this confuse those tools?

3. Assuming that the pogrammer will log several attempts, will
this help to find and correct blind injection points?

Thank you all


FREE pop-up blocking with the new MSN Toolbar - get it now!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]