Professional Documents
Culture Documents
An Alternate Approach For SQLi Detection - Reto Ischi
An Alternate Approach For SQLi Detection - Reto Ischi
• Reto!Ischi!
• Lead!security!engineer/developer!of!!
Airlock!WAF!at!Ergon!InformaEk!AG!
• 10+!years!experience!in!the!area!of!web!
applicaEon!security/WAF!
• IT!interests:!Web!and!OS!security,!crypto,!
theoreEcal!computer!science,!...!
Content!
• SQLi!Not!Yet!Boring!
• RealTLife!SQLi!DetecEon!
• Classical!Approach!to!Filter!SQLi!
• LibinjecEon!
– Recap!
– Weaknesses!
– Combined!with!Classical!Approach!
• New!Approach!Detect!False!PosiEves!
• Prototype!Demo!
SQLi!Not!Yet!Boring!
SQLi!–!Same!Old!Story!
known!since!15!years,!remains!a!significant!thread!
Other,&12%&
SQLi,&
32%&
Targeted&
A?ack,&8.80%&
Account&
Hijacking,&
12%&
Unknown,&
DDos,&14%& 21%&
Mai!2013!
[hackmageddon.com]!
RealTLife!SQLi!DetecEon
Is!SQLi!Blocking!Hard?!
• Can‘t!decide!correctly!in!all!cases!without!addiEonal!
informaEon!
• Strict!rules!=>!extensive!excepEon!handling!
• Block!this...?!
!
SELECT * FROM users WHERE
name = '%USER%' and password = '%INJECT%';
!
%INJECT%&(MySQL): ! !
'=' ‘ &’ ‘ << ‘ ‘ >> ‘
‘|‘ ‘^‘ ‘ like ‘* ‘ % ‘1
‘ * ‘1 ' / ‘1
Unsolvable!Decision!Problem!
...even!worse!without!quotes:!
!
SELECT * FROM users WHERE
name = '%USER%' and PIN = %INJECT%;
!
%INJECT%:!x,y!=!<any!number>!!!!z!=!<any!string>!
!x!or!y! !x||y ! !x<y ! !x=0!
!'z'!or!y !'z'=0 ! !0<=>0 !x<>x!
!x!<!y! ! !x<=y ! !x!!=!y! !PIN!
Classical Approach
to Filter SQLi
Our!Classical!Approach!
• Moderate!complex!Regex!
!
• Categorize!amack!types,!consider!DBMS!
– EliminaEng!condiEons!(Comment!symbols,!…)!
– Extending!query!results!(UNION!SELECT,!string!concat,!...)!
– Start!of!new!Commands!(;!UPDATE...)!
– Change!expression!evaluaEon!(tautologies,!...)!
– ...!
Classical!Approach!T!Example!
1. As-is
1 number B group/order by
U union f function
v at (@) c comment
Tokenizer!
• Fingerprints!of!length!up!to!5!to!detect!SQLi!
&1o1U,!&1osU,!&1ovU,!&f()o,!&f(1),!&f(s)!….!
• Compare!only!the!first!5!tokens!of!the!parsed!
strings!seems!to!be!enough!
– If!yes,!we're!lucky!=>!fast!
• Fingerprints!generated!(learned)!from!a!large!
list!(>!47000)!of!SQLi!(src:!pentest!tools,!cheat!
sheets,!forums,...)!
!
!
LibinjecEon!Weaknesses!
LibinjecEon!Weaknesses!
• Bypass!5!token!restricEon!with!padding!
• "asTis"!context!(MySQL):!
…WHERE id = 1^1^1^1^1# AND…
token!representaEon:!1o1o1!
• Quoted!context!(Oracle):!
…WHERE name = 'a'||'d'||'m'||'i'||'n'--' AND…
token!representaEon:!s&s&s!
• Mixed!(MySQL):!
…WHERE id = 1 ^ 'N' || 2# AND…
…WHERE id = (select @a or ( @a ))# AND…!
LibinjecEon!Weaknesses!
• Tokenize!the!full!input!string!
!
• Pamern!matching!
T Evasion!by!padding!no!longer!possible!
T Fingerprint!learning!vs.!human!brain!power!
!
• More!expensive?!
libinjecEon!+!regex!
• Major!benefit:!Much!simpler!pamerns!
– Dozens!of!variants!to!separate!terms!(space,!tab!variants,!CR,!
LF,!null!byte,!...)!
– Long!disjuncEon!chains!
select|insert|update|delete|...!=>!keyword!
• Example!Pamern:!"
Classical!Regex:
;.*(execute|exec|insert|update|select|delete|
drop|waitfor|create|alter|begin)(--|[#'(\h\v])"
Token!Regex:!
;.*k[cs(]
!
• Slightly!bemer!detecEon!rate!but!way!more!FP!
!
New!Approach!to!Detect!
False!PosiEves!Based!on!Lexical!
Analysis!
Detect!False!PosiEves!
• Which!token!combinaEons!are!not!common!in!
SQL?!
!
!...!<NAME>!<NAME>!...!
...!<NUMBER>!<NAME>!...!
...!<OPERATOR>!<OPERATOR>!...!
...!
Detect!False!PosiEves!
Why!not!having!two!consecuEve!names!in!the!
token!representaEon!of!SQLi?!
Detect!keywords:!
!UPDATE!TEST!SET!A!=!1!WHERE!ID!=!1!
Consider!strings:!
!SELECT!"foo!bla"!FROM!t!
Remove!comments:!
!SELECT!id!/*!this!is!comment!*/!FROM!t!
!
!
Detect!False!PosiEves!
↓! ↓!
Two consecutive names => FP
Whitelist!ExcepEons!
ExcepEon!example!for:!<name>!<name>!
!
Column!and!table!alias!without!AS!keyword!
SELECT!id!i,!name!FROM!mytable!
!
SELECT!id,!name!FROM!mytable!m!
Pros!New!Approach!
• No!need!to!consider!SQLi!and!FP!in!a!single!
complex!regex:!
1)!Simple®ex&to!detect!SQLi!
!Please!click!on!facebook's!'like'!bumon!
Blacklist!rule:!<quote><logical!operator>!
!
2)!Simple®ex&to!whitelist!false!posiEve !!
!Please!click!on!facebook's!'like'!bumon!
Whitelist!rule:!<name>!<name>!
!
• Can!whitelisEng!step!be!used!to!evade!filter?!
!
!
Overall!Process!
match:
could be SQLi
no!match!
no!match!
reduce false positives
!
!
Prototype!Demo!
Conclusions!
• RealTlife!SQLi!detecEon!without!addiEonal!info!is!hard!
• False!posiEves!are!a!pain!
• Lexical!analysis!
– Simplifies!blacklist!rules!
– False!posiEves!reducEon!by!whitelisEng!
– Worth!for!further!research!
!
• Can!we!use!lexical!analysis!to!prevent!other!code!
injecEon!amacks?!
!
Special!thanks!to!Erwin!Huber!and!Thomas!
Lohmüller!for!their!support!
!
Feedback!/!suggesEons!welcome:!
reto.ischi@ergon.ch!
!
hmp://www.ergon.ch/en/airlock!