[REVS] SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement

• Previous message: SecuriTeam: "[NT] Yahoo! Messenger Server Race Condition Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 May 2005 15:27:24 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SQLBlock: SQL Injection Protection by Variable Normalization of SQL
Statement
------------------------------------------------------------------------

SUMMARY

The article linked at this advisory presents a method to protect from SQL
injection attack. The method involves using a virtual database
connectivity drive as well as a special method named variable
normalization to extract the basic structure of a SQL statement so that we
could use that information to determine if a SQL statement is allowed to
be executed. The method can be used in most scenarios and does not require
changing the source code of database applications (i.e. the CGI web
application). The presented method can also be used for auto-learning the
allowable list of SQL statements, which makes the system very easy to
setup. And since the decision of whether a SQL statement is allowed is to
check if the normalized statement exists in our ready-sorted allowable
list, the overhead of the system is very minimal.

DETAILS

Conclusion:
We presented variable normalization for SQL statements, which can
extract the basic structure of a SQL statement. If SQL injection happens,
the structure of the SQL statement will be altered and hence normalized
SQL statement will also be altered and we will be able to detect it. We
use this method to implement SQLBlock, a database connectivity layer proxy
driver that can block SQL injection attacks.

SQLBlock has very minimal overall performance impact. Theoretically, it
works will all database servers without the need to change the client
source code. Auto-learning the allowable list makes the system easy to
deploy even for complex clients that will issue many different SQL
commands. And since SQLBlock is a connectivity layer proxy, it works even
for SSL web applications. We believe SQLBlock is an effective and
practical solution to solve this class of attacks.

ADDITIONAL INFORMATION

The information has been provided by <mailto:samng@computer.org> Sam M.S.
NG.
The original article can be found at:
<http://www.sqlblock.com/sqlblock.pdf>
http://www.sqlblock.com/sqlblock.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Yahoo! Messenger Server Race Condition Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]