affordableCebu
Home » Questions » Computers [ Ask a new question ]

Catching SQL Injection and other Malicious Web Requests

Catching SQL Injection and other Malicious Web Requests

"I am looking for a tool that can detect malicious requests (such as obvious SQL injection gets or posts) and will immediately ban the IP address of the requester/add to a blacklist. I am aware that in an ideal world our code should be able to handle such requests and treat them accordingly, but there is a lot of value in such a tool even when the site is safe from these kinds of attacks, as it can lead to saving bandwidth, preventing bloat of analytics, etc.

Ideally, I'm looking for a cross-platform (LAMP/.NET) solution that sits at a higher level than the technology stack; perhaps at the web-server or hardware level. I'm not sure if this exists, though.

Either way, I'd like to hear the community's feedback so that I can see what my options might be with regard to implementation and approach."

Asked by: Guest | Views: 262
Total answers/comments: 3
Guest [Entry]

"The problem with a generic tool is that it is very difficult to come up with a set of rules that will only match against a genuine attack.

SQL keywords are all English words, and don't forget that the string

DROP TABLE users;

is perfectly valid in a form field that, for example, contains an answer to a programming question.

The only sensible option is to sanitise the input before ever passing it to your database but pass it on nonetheless. Otherwise lots of perfectly normal, non-malicious users are going to get banned from your site."
Guest [Entry]

"One method that might work for some cases would be to take the sql string that would run if you naively used the form data and pass it to some code that counts the number of statements that would actually be executed. If it is greater than the number expected, then there is a decent chance that an injection was attempted, especially for fields that are unlikely to include control characters such as username.

Something like a normal text box would be a bit harder since this method would be a lot more likely to return false positives, but this would be a start, at least."
Guest [Entry]

One little thing to keep in mind: In some countries (i.e. most of Europe), people do not have static IP Addresses, so blacklisting should not be forever.