Injection Attacks: The Complete 2020 Guide

SQLi Defense - Network Layer

We'll take a look at 3 layers of defense:

  1. The network layer
     
  2. The application layer
     
  3. The database layer

"Database Firewall is a good first layer of defense for databases, but it won't protect you from everything"

- Vipin Samar, Oracle VP of Database Security

WAFs may not catch comments:

 


/?id=1+un/**/nion+sel/**/ect+1,2,3--

The query becomes:


SELECT * FROM table 
WHERE id=1 UNION SELECT 1,2,3,--

WAFs may not catch combined cases:

 


/?id=1+UnIoN/**/SeLeCt/**/1,2,3,--

WAFs may not catch synonyms

 


Replacing = and not = with:
!=, <>, <, >

SQLi Defense - Network Layer

By Christophe Limpalair

Made with Slides.com

SQLi Defense - Network Layer

  • 395

More from Christophe Limpalair