Detect SQL Injection Attacks with Sax2 by iupon13


									?What is SQL Injection Attacks

With the growing up of B/S model application development, more and more
programmer write program with it. Unfortunately, many programmers did not judge
the validity of users' input data during encoding, and then, there will be security risk
in the application.

Malicious attackers submit a special section of database query code to the server, the
server will disclosure some sensitive information when respond with corresponding
result. This is SQL Injection Attacks. The main trend Firewall currently will not alarm
when there is SQL attack because of the SQL Injection is via normal point and hidden
and difficult to be detected, seemingly normal website visit.
The danger of SQL Injection Attacks

According to the statistics of CVE in 2006, there are more than 70% attacks based on
web application. The SQL Injection Attacks increase year by year, it arrives at 1078 in
2006. Even though, these data is only for the vulnerability in universal applications

The danger of SQL Injection Attacks including:

? Change the data in database without authorization.
 Gain the administration authority of a site without authorization.
? Maliciously change content of a site without authorization.
? XSS attacks.
? Gain the control authority of the server without authorization.
? Add, delete and change the accounts in the server without authorization.

The process of detect and revert SQL Injection Attacks with Sax2

Some IDS software will execute effective detection for SQL Injection Attacks, though,
firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks
with IDS software Sax2.

The steps of SQL Injection Attacks are:

a) Determine environment to find the injection point.
b) Determine the type of database.
c) Guess datasheet.
d) Guess the field.
e) Guess the content.

The steps "Guess datasheet", "Guess the field" and "Guess the content" are very
important fro SQL Injection Attacks during the full process. Let's analyze these there

Sax2 will detect and alarm the attacks in network real-time. It will show the in the
table Event when there is SQL Injection Attacks, see the figure 1.

Figure 1 Sax2 alarm the MS_SQL Injection Attacks real-time

The selected event in the Figure 1 shows the attacker's IP, the victim's
IP And the original message is "select * from [dirs]", means enquire
whether there is a datasheet named "dirs" in current database, in the Original
Communication view.
The attacker will repeat the operation to gain the expected datasheet. He will try to
guess the filed in the datasheet if found the corresponding datasheet in the database.

Figure 2 Sax2 analysis the attacker is guessing the filed in the admin database

The code in the red circle in the Figure 2 show the attacker is guessing the "paths"
filed in the admin database. Also, the attacker will repeat the operation till find the
corresponding filed.

The attacker will determine the length of the filed and guess the content after found
the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the
content in the filed successfully. Sometimes, the attacker has to decryption the content
if it in MD5 encryption.

Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As
we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it
occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your
network security combine with firewall software.

To top