Dear List, Imperva(tm)'s Application Defense Center has released a new white paper. The paper, titled 'SQL Injection Signatues Evasion', is based on research done at Imperva's ADC, and shows that providing protection against SQL injection using signatures alone is not enough. The paper demonstrates various techniques that can be used to evade SQL injection signatures, including advanced techniques that were developed during the research, and explains why it is not possible to adequately protect an application against SQL injection using signatures only. The paper can be viewed at http://www.imperva.com/adc/papers/sigevasion (Both HTML and PDF versions are available) The paper was written by: Ofer Maor, Application Defense Center Manager Amichai Shulman, Chief Technology Officer Table of Contents ----------------- - Abstract - Introduction - Recognizing Signature Protection - Common Evasion Techniques Different Encodings White Spaces Diversity TCP Fragmentation - Advanced Evasion Techniques The 'OR 1=1' Signature Evading Signatures with White Spaces Evading Any String Pattern - Conclusion - References Abstract -------- In recent years, Web application security has become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization. One of the most dangerous and most common attack techniques is SQL Injection, which usually allows the hacker to obtain full access to the organization's Database. With the rise in SQL Injection attacks, security vendors have begun to provide security measures to protect against SQL Injection. The first ones to claim such protection have been the various Web Application Firewall vendors, followed by most IDS/IPS vendors. Most of this protection, however is Signature based. This is obviously the case with common IDS/IPS vendors, as they come from the network security world, and revolve around signature-based protection. However, most of the Web Application Firewalls base their SQL Injection protection on signatures as well. This is due to the fact that they inspect HTTP traffic only, and are able to look for attack patterns only within HTTP traffic. Moreover, it has lately become a common belief that signatures are indeed sufficient for SQL Injection protection. This belief has been backed up by a recently published article, describing, allegedly, a thorough guide for building SQL Injection signatures, in Snort(tm)-like format. The research done at Imperva's Application Defense Center shows, however, that providing protection against SQL Injection using signatures only is not enough. This paper demonstrates various techniques that can be used to evade SQL Injection signatures, including advanced techniques that were developed during the research. The paper further demonstrates why these techniques are actually just the tip of the iceberg of different evasion techniques, due to the richness of the SQL language. Eventually, the conclusion that the research leads to is that providing protection against SQL Injection using only signatures is simply not practical. A reasonably sized signature database will never be complete, while an attempt to create a complete comprehensive signature database, even if theoretically possible, will yield an amount of signatures that is impossible to handle while maintaining a reasonable performance requirement, and is likely to generate too many false positives. --- Application Defense Center Imperva(tm) Inc. http://www.imperva.com/adc
