Last week San Francisco welcomed the annual RSA Conference 2013. I was lucky to attend the conference for a day, and even though this presentation was dedicated to the topic of good old SQL injection, it got my attention.
The author and presenter Nick Galbreath promises a 98% reduction in SQL injection attacks for regular web applications. This promise is based on a simple observation made after analyzing piles of SQL code: SQL used in web applications – referred to as “everyday SQL” – and SQL used by attackers to mount SQL injection attacks – “SQLi SQL” – basically do not overlap. Meaning, attackers use SQL constructs that are rarely used by developers. For example, unions are used by attackers all over the place, but are rarely used otherwise. Same goes for comments, subselects, various built-in SQL functions whose effect can be achieved by similar logic applied much more easily at the application layer, SQL variables and a few more. It turns out that if applications are forced to respond to a subset of SQL that does not allow unions, comments, and subselects, they can achieve 95% reduction in SQL injection attacks. By eliminating the rest of the questionable constructs often used by attackers, applications can reduce SQL injection attacks by 98%.
The interesting thing about this approach is that it’s not tied to a particular detection technique. Any runtime monitoring or defense infrastructure capable of inspecting the queries executed by an application could apply it. Whether you are a developer still struggling with getting rid of SQL injection vulnerabilities in your code or a security practitioner figuring out new vulnerability and attack detection techniques, I encourage you to check out Nick Galbreath’s work. Full version of his RSA slides is available here.