Detecting SQL Injection with ScriptProtect

May 18, 2005
coldfusiondatabases

It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection Attacks

WARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.

You can edit, and add the regular expression patterns for the scriptprotect feature in ColdFusion MX 7 by editing neo-security.xml located in WEB-INF/cfusion/lib. Add the following pattern under the default cross site scripting pattern.

<var name=";.*(select|insert|update|delete|drop|alter|create)">
<string>SQL_INJECTION_ATTEMPT</string>
</var>

I first tried just using a ; as the pattern - but that caused problems with some of the variables in the CGI scope (things like User Agent often have semi-colon's in them). So the pattern now looks for a semi-colon followed by zero or more characters followed by a select, insert, update, delete, drop alter or a create.

Don't expect to catch all possible SQL Injection attacks with this, so don't trust it to stop them. I'm just posting this FYI.



Related Entries

5 people found this page useful, what do you think?

Comments

What happens if this pattern is detected? Does it throw an error you can catch with CFCATCH or just put something in the logs?
Hmmm strange, because this won't work: ;.*(select|insert|update|delete|drop|alter|create) If that is used a as a regular expression, then it never even reaches the select, insert, etc etc. Because the . character is acting like a lazy match. Which finds ANYTHIGN beyond the ; character.
This would be great if it worked. Tried it and it didn't prevent a SQL injection attack. It also caused errors in the CGI scope.
I used this instead and it worked great. \s*(select|insert|update|delete|drop|alter|create)
also need to test for exec|cast|declare -- to prevent attacks where the SQL code is encoded as a hex string
The SQL standard names are LOWER and UPPER, not LCASE and UCASE. Some prdocuts like MySQL alias LCASE and UCASE to the LOWER and UPPER functions for increased compatibility with other non-standard prdocuts and some prdocuts that are not databases. MS Access uses LCASE and UCASE as does the non-database prdocuts Excel and OOCalc. There are some programming languages which use LCASE and UCASE. There may be other DB prdocuts that do not use the SQL standard LOWER/UPPER names for these functions. Oracle does use LOWER/UPPER. DB2 supports both. PostgreSQL uses LOWER/UPPER.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?