imperva Category;
Get recent articles via RSS in imperva category
Search in this category and subcategories !
Order Direction : [ Z-A ] - [ A-Z ]
imperva Articles;
SQL Injection Signatures Evasion
In recent years, Web application security has become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization. One of the most dangerous and most common attack techniques is SQL Injection, which usually allows the hacker to obtain full access to the organization's Database. With the rise in SQL Injection attacks, security vendors have begun to provide security measures to protect against SQL Injection. The first ones to claim such protection have been the various Web Application Firewall vendors, followed by most IDS/IPS vendors. Most of this protection, however is Signature based. This is obviously the case with common IDS/IPS vendors, as they come from the network security world, and revolve around signature-based protection. However, most of the Web Application Firewalls base their SQL Injection protection on signatures as well. This is due to the fact that they inspect HTTP traffic only, and are able to look for attack patterns only within HTTP traffic. Moreover, it has lately become a common belief that signatures are indeed sufficient for SQL Injection protection. This belief has been backed up by a recently published article, describing, allegedly, a thorough guide for building SQL Injection signatures, in Snort™-like format. The research done at Imperva's Application Defense Center shows, however, that providing protection against SQL Injection using signatures only is not enough. This paper demonstrates various techniques that can be used to evade SQL Injection signatures, including advanced techniques that were developed during the research. The paper further demonstrates why these techniques are actually just the tip of the iceberg of different evasion techniques, due to the richness of the SQL language. Eventually, the conclusion that the research leads to is that providing protection against SQL Injection using only signatures is simply not practical. A reasonably sized signature database will never be complete, while an attempt to create a complete comprehensive signature database, even if theoretically possible, will yield an amount of signatures that is impossible to handle while maintaining a reasonable performance requirement, and is likely to generate too many false positives.
Blind SQL Injection
This document summarizes research done at Imperva regarding the possibility of exploiting SQL injection while having no detailed error messages. This research was performed in order to prove to customers that simply suppressing their error messages, going back to the "Security by Obscurity" approach, is just not enough. Using the techniques described in this document, many applications were proven to be exploitable, despite all attempts to disguise the information sent back to the client. Hopefully, after reading this document the reader now understands as well, why SQL injection is a real threat to any system, with or without detailed error messages, and why relying on suppressed error messages is not secure enough. Most of all, this document shows why an infrastructure level solution (such as suppressing error messages, though any other infrastructure level solution would be similarly problematic) cannot provide a real solution to application level risks. The only way to provide protection to the application itself is by taking application level security measures.
Cross-site Scripting Attack
Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker.
SQL Injection
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.