Home page logo
/

webappsec logo WebApp Sec mailing list archives

New Paper - SQL Injection Signatures Evasion
From: "Imperva Application Defense Center" <adc () imperva com>
Date: Mon, 19 Apr 2004 11:07:06 +0200

Dear List,

Imperva(tm)'s Application Defense Center has released a new white paper.

The paper, titled 'SQL Injection Signatues Evasion', is based on
research done at Imperva's ADC, and shows that providing protection
against SQL injection using signatures alone is not enough. The paper
demonstrates various techniques that can be used to evade SQL injection
signatures, including advanced techniques that were developed during the
research, and explains why it is not possible to adequately protect an
application against SQL injection using signatures only.

The paper can be viewed at http://www.imperva.com/adc/papers/sigevasion
(Both HTML and PDF versions are available)

The paper was written by:
  Ofer Maor, Application Defense Center Manager
  Amichai Shulman, Chief Technology Officer


Table of Contents
-----------------
- Abstract 
- Introduction 
- Recognizing Signature Protection 
- Common Evasion Techniques 
    Different Encodings 
    White Spaces Diversity 
    TCP Fragmentation 
- Advanced Evasion Techniques 
    The 'OR 1=1' Signature 
    Evading Signatures with White Spaces 
    Evading Any String Pattern 
- Conclusion 
- References 

Abstract
--------
In recent years, Web application security has become a focal center for
security experts. Application attacks are constantly on the rise, posing
new risks for the organization. One of the most dangerous and most
common attack techniques is SQL Injection, which usually allows the
hacker to obtain full access to the organization's Database.

With the rise in SQL Injection attacks, security vendors have begun to
provide security measures to protect against SQL Injection. The first
ones to claim such protection have been the various Web Application
Firewall vendors, followed by most IDS/IPS vendors. 

Most of this protection, however is Signature based. This is obviously
the case with common IDS/IPS vendors, as they come from the network
security world, and revolve around signature-based protection. However,
most of the Web Application Firewalls base their SQL Injection
protection on signatures as well. This is due to the fact that they
inspect HTTP traffic only, and are able to look for attack patterns only
within HTTP traffic. Moreover, it has lately become a common belief that
signatures are indeed sufficient for SQL Injection protection. This
belief has been backed up by a recently published article, describing,
allegedly, a thorough guide for building SQL Injection signatures, in
Snort(tm)-like format. 

The research done at Imperva's Application Defense Center shows,
however, that providing protection against SQL Injection using
signatures only is not enough. This paper demonstrates various
techniques that can be used to evade SQL Injection signatures, including
advanced techniques that were developed during the research. 

The paper further demonstrates why these techniques are actually just
the tip of the iceberg of different evasion techniques, due to the
richness of the SQL language. Eventually, the conclusion that the
research leads to is that providing protection against SQL Injection
using only signatures is simply not practical. A reasonably sized
signature database will never be complete, while an attempt to create a
complete comprehensive signature database, even if theoretically
possible, will yield an amount of signatures that is impossible to
handle while maintaining a reasonable performance requirement, and is
likely to generate too many false positives.


 
---
Application Defense Center
Imperva(tm) Inc.
http://www.imperva.com/adc


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]