December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 9-4: Preventing SQL Injection Attacks
This recipe shows you how to identify when attackers attempt to use SQL Injection attacks.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_41_sql_injection_attacks.conf
- ModSecurity
- REQUEST_URI variable
- REQUEST_BODY variable
- REQUEST_HEADERS variable
- XML variable
- @rx operator
- @pm operator
CAPEC-66: SQL Injection
This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended.
SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attacker’s choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as the ability to add or modify data in the database.
Sample Attacks
Here are some real-world SQL ...