RSA Conference 2013: News on SQL Injection Detection and Prevention

Last week San Francisco welcomed the annual RSA Conference 2013. I was lucky to attend the conference for a day, and even though this presentation was dedicated to the topic of good old SQL injection, it got my attention.

 

The author and presenter Nick Galbreath promises a 98% reduction in SQL injection attacks for regular web applications. This promise is based on a simple observation made after analyzing piles of SQL code: SQL used in web applications – referred to as “everyday SQL” – and SQL used by attackers to mount SQL injection attacks – “SQLi SQL” – basically do not overlap. Meaning, attackers use SQL constructs that are rarely used by developers. For example, unions are used by attackers all over the place, but are rarely used otherwise. Same goes for comments, subselects, various built-in SQL functions whose effect can be achieved by similar logic applied much more easily at the application layer, SQL variables and a few more. It turns out that if applications are forced to respond to a subset of SQL that does not allow unions, comments, and subselects, they can achieve 95% reduction in SQL injection attacks. By eliminating the rest of the questionable constructs often used by attackers, applications can reduce SQL injection attacks by 98%.

 

The interesting thing about this approach is that it’s not tied to a particular detection technique. Any runtime monitoring or defense infrastructure capable of inspecting the queries executed by an application could apply it. Whether you are a developer still struggling with getting rid of SQL injection vulnerabilities in your code or a security practitioner figuring out new vulnerability and attack detection techniques, I encourage you to check out Nick Galbreath’s work. Full version of his RSA slides is available here.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation