Re: SQL Injection monitoring/protection tools

From: Powell, Mark <mark.powell2_at_hpe.com>
Date: Mon, 27 Mar 2017 15:05:34 +0000
Message-ID: <AT5PR84MB005005ED6325E65FEB9A91AFCC330_at_AT5PR84MB0050.NAMPRD84.PROD.OUTLOOK.COM>

Use of bind variable alone will not make an application completely SQL injection proof. It depends on how the application uses the bind variables especially if the bind variables are used to form dynamic SQL within the application. The following is not as good an example as I have seen but it should be enough to make the point: http://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks/8265319#8265319

Any routine that performs dynamic DDL based on input is especially worth review from an SQL injection point of view.

From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on behalf of Mladen Gogala <gogala.mladen_at_gmail.com> Sent: Saturday, March 25, 2017 5:56:13 PM To: oracle-l_at_freelists.org
Subject: Re: SQL Injection monitoring/protection tools

SQL Injection is only possible in the applications which use string concatenation with the fields from web forms, to create SQL which will then be executed. In addition to being prone to SQL injection, like in the famous "Bobby tables" comic, this also doesn't perform well, because the generated SQL uses constants and needs to undergo hard parsing. Applications should use bind variables, which will make them impervious to SQL injection attacks. Here is the famous "little Bobby tables" XKCD comic: https://xkcd.com/327/

On 03/22/2017 05:04 PM, Upendra nerilla wrote:

Thanks much Mark and Rob for the information.

These documents are great.. I will share them with the Development teams.

What I am also looking at from monitoring perspective, if there is a way to monitor/identify poorly written queries (candidates for SQL injection).. anyone using any specific way (processes/scripts/manual) to capture the candidate queries?

Thanks
-Upendra

From: Mark W. Farnham <mwf_at_rsiz.com><mailto:mwf_at_rsiz.com> Sent: Tuesday, March 21, 2017 8:42 AM
To: nupendra_at_hotmail.com<mailto:nupendra_at_hotmail.com>; 'Oracle-L' Subject: RE: SQL Injection monitoring/protection tools

Protection protocol:

Read Bryn Llewellyn�s paper on writing PL/SQL correctly to prevent injection.

Follow Bryn�s rules for things that are allowed to attach to your database.

Overly simple: perhaps. Effective? Definitely.

Allow folks to bend Bryn�s rules? Then you have entered the np incomplete problem space of intrusion detection. Good luck.

mwf

From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Upendra nerilla Sent: Monday, March 20, 2017 11:06 PM
To: Oracle-L
Subject: SQL Injection monitoring/protection tools

Hello everyone -

I am interested in finding what kind of tools folks are using to defend against SQL injection type attacks?

I have seen the capabilities of Database Firewall from various documents, seems to have nice features.

Have seen the following page listing a few other options:

https://en.wikipedia.org/wiki/Web_application_firewall

Could you please share any feedback on any tools/strategy anyone is using..

Much appreciated

-Upendra

--

Mladen Gogala
Oracle DBA
Tel: (347) 321-1217

--

http://www.freelists.org/webpage/oracle-l Received on Mon Mar 27 2017 - 17:05:34 CEST

This message: [ Message body ]
Next message: Balwanth B: "Update 100 rows and sleep for 60 sec"
Previous message: Mladen Gogala: "Re: SQL Injection monitoring/protection tools"
In reply to: Mladen Gogala: "Re: SQL Injection monitoring/protection tools"
Next in thread: rogel_at_web.de: "Aw: RE: Update 100 rows and sleep for 60 sec"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message