Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding the Generic SQL Injection Prevention rule

    • Updated:
    • 11 Sep 2015
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • Windows 2008 Server R2
Summary
Learn how Generic SQL Injection Prevention works in Deep Security. This article provides the following:
  • Definition of SQL injection
  • How SQL injection attacks are detected
  • Characters and strings commonly used in SQL injection attacks
  • Generic SQL Injection Prevention rule configuration
  • Examples to understand the scoring mechanism
Generic SQL Injection Prevention rule
Click image to enlarge.
Details
Public

SQL injection or SQL phishing is a method of attacking data-driven applications wherein portions of SQL statements are included in an entry field, so that a newly formed rogue SQL command is passed by the website to the database.

SQL injection vulnerabilities allow an attacker to manipulate the query executed by the database and perform functions such as reading, adding, deleting, or changing information in the database.

To detect SQL injection attacks, this rule uses a scoring system that analyzes the inputs in the application. The scoring system works by grouping and assigning a score to the common characters and strings used in SQL injection attacks.

GroupScore
',%27,\x22,%22,char1
;,%3B1
%2B1
--,%2D%2D,/*,%2F%2A,*/,%2A%2F1
drop table,drop+table,insert into,insert+into,values,group by,group+by,create table,create+table,delete,update,bulk insert,bulk+insert,shutdown2
union,having,select,declare,exec2
and,or,like,is null,is+null,is not null,is+not+null1
%3D1
(,%28,),%29,@,%401
cast2

If the Deep Security Agent detects any of these characters or words in arriving packets, the score increases by the amount assigned to that group. If a character or word belongs to the same group as a character that has already been triggered, it will not increase the score.

These are the commonly used characters or strings:

('%3B*/valuesupdateselectis null(,%28,)
%27%2B%2A%2Fgroup bybulk insertdeclareis+null%29
\x22--drop tablegroup+bybulk+insertexecis not null@
%22%2D%2Ddrop+tablecreate tableshutdownandis+not+null%40
char/*insert intocreate+tableunionor%3Dcast
;%2F%2Ainsert+intodeletehavinglike

Those with %XX are the URI-encoded values of a character. The @ symbol can be sent as a raw character “\x40” or “%40”. Some characters are encoded according to the RFC and the web browser automatically encodes them. However, if an attacker uses a custom script or utility, the characters may arrive in raw format so the rule looks for both.

To configure the rule:

  1. From the Deep Security Manager console, double-click the computer or the security profile.
  2. Click the DPI/IPS and click Generic SQL Injection Prevention.
  3. Click the Configuration tab and configure the following settings:
    • SQL Injection Patterns – This allows you to specify the list of characters and strings used in SQL injection attacks. Characters and strings are grouped and assigned a score.
    • Drop Threshold – This allows you to specify the drop score. The connection is dropped when the scoring mechanism reaches a score above this threshold.
    • Log Threshold – This allows you to specify the log score. The connection is logged when the scoring mechanism reaches a score above this threshold.
    • Max distance between matches – This allows you to specify the number of bytes that can pass without a match to reset the score to 0.
Configuring Generic SQL Injection Prevention

This is the basic format of an SQL injection attack string:

SQL injection attack string

The following are sample configurations of Generic SQL Injection Prevention rule and the resulting action on our sample attack string.

Example 1:

Sample Generic SQL Injection Prevention configuration
Click image to enlarge.

This configuration causes no log or dropped traffic. The score needs to be higher than any of the defined thresholds before the Generic SQL Injection Prevention rule gets triggered.

Example 2:

Sample Generic SQL Injection Prevention configuration
Click image to enlarge.

In this configuration, “union” is set in a separate line so “select” gains a score. This generates a log and drops the traffic because of the total score of 5, which is higher than the log and drop thresholds.

Premium
Internal
Rating:
Category:
Troubleshoot; Deploy; Install; Upgrade; Update
Solution Id:
1098159
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.