O'Reilly logo

Security Warrior by Anton Chuvakin, Cyrus Peikari

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

SQL Injection Defenses

As a side note, the usual packet-filtering firewalls won't protect you from SQL injection attacks. They simply lack the application intelligence to know what is going on beyond opening port 80 for web traffic. This is the case for many application-level attacks, such as SQL injection. Network intrusion detection will help, but it will not serve as magic "silver bullet" in this case. There are too many different forms and strings of such attacks to be encoded as an effective signature set. Additionally, if a target site is running SSL, you can evade the IDS by simply moving all the attack activities to TCP port 443 from port 80, which will likely hide all malfeasance.

We will categorize defenses into three main types, as described in Table 16-6.

Table 16-6. SQL injection defenses

Defensive approach

Description

Examples

Counterattacks

Obfuscation

Complicating the attacks by not providing the attacker with any feedback needed (or rather desired) for locating the SQL injection flaws

Generic error messages, limiting database output

"Blind" SQL injection[6]

Using stored procedures instead of dynamically built queries

Trying to avoid building queries from SQL commands and user input by replacing them with database stored procedures (conceptually similar to subroutines)

Use of sp_get_price( ) instead of "SELECT * from price"

Recent advanced SQL injection techniques can inject parameters into stored procedures

External filtering

Trying to only allow legitimate requests to the database ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required