SQL injection or SQL phishing is a method of attacking data-driven applications wherein portions of SQL statements are included in an entry field, so that a newly formed rogue SQL command is passed by the website to the database.
SQL injection vulnerabilities allow an attacker to manipulate the query executed by the database and perform functions such as reading, adding, deleting, or changing information in the database.
To detect SQL injection attacks, this rule uses a scoring system that analyzes the inputs in the application. The scoring system works by grouping and assigning a score to the common characters and strings used in SQL injection attacks.
| Group | Score |
|---|---|
| ',%27,\x22,%22,char | 1 |
| ;,%3B | 1 |
| %2B | 1 |
| --,%2D%2D,/*,%2F%2A,*/,%2A%2F | 1 |
| drop table,drop+table,insert into,insert+into,values,group by,group+by,create table,create+table,delete,update,bulk insert,bulk+insert,shutdown | 2 |
| union,having,select,declare,exec | 2 |
| and,or,like,is null,is+null,is not null,is+not+null | 1 |
| %3D | 1 |
| (,%28,),%29,@,%40 | 1 |
| cast | 2 |
If the Deep Security Agent detects any of these characters or words in arriving packets, the score increases by the amount assigned to that group. If a character or word belongs to the same group as a character that has already been triggered, it will not increase the score.
These are the commonly used characters or strings:
| (' | %3B | */ | values | update | select | is null | (,%28,) |
| %27 | %2B | %2A%2F | group by | bulk insert | declare | is+null | %29 |
| \x22 | -- | drop table | group+by | bulk+insert | exec | is not null | @ |
| %22 | %2D%2D | drop+table | create table | shutdown | and | is+not+null | %40 |
| char | /* | insert into | create+table | union | or | %3D | cast |
| ; | %2F%2A | insert+into | delete | having | like |
Those with %XX are the URI-encoded values of a character. The @ symbol can be sent as a raw character “\x40” or “%40”. Some characters are encoded according to the RFC and the web browser automatically encodes them. However, if an attacker uses a custom script or utility, the characters may arrive in raw format so the rule looks for both.
To configure the rule:
- From the Deep Security Manager console, double-click the computer or the security profile.
- Click the DPI/IPS and click Generic SQL Injection Prevention.
- Click the Configuration tab and configure the following settings:
- SQL Injection Patterns – This allows you to specify the list of characters and strings used in SQL injection attacks. Characters and strings are grouped and assigned a score.
- Drop Threshold – This allows you to specify the drop score. The connection is dropped when the scoring mechanism reaches a score above this threshold.
- Log Threshold – This allows you to specify the log score. The connection is logged when the scoring mechanism reaches a score above this threshold.
- Max distance between matches – This allows you to specify the number of bytes that can pass without a match to reset the score to 0.
This is the basic format of an SQL injection attack string:
The following are sample configurations of Generic SQL Injection Prevention rule and the resulting action on our sample attack string.
Example 1:
This configuration causes no log or dropped traffic. The score needs to be higher than any of the defined thresholds before the Generic SQL Injection Prevention rule gets triggered.
Example 2:
In this configuration, “union” is set in a separate line so “select” gains a score. This generates a log and drops the traffic because of the total score of 5, which is higher than the log and drop thresholds.