Injection Attacks: The Complete 2020 Guide

SQLi Defense - Database Layer

Ways of defending databases against SQLi

  • Minimize privileges of database accounts
     
  • Update your DBMS on a regular basis
     
  • Implement proper monitoring & logging
     
  • NoSQL databases are also vulnerable

Minimize privileges of database accounts

The application assumes the privileges of a user that was set up for it to use. We want to limit those permissions.

With SQLMap, we could use options such as:


sqlmap -u "http://localhost/vulnerabilities/sqli_blind/" \
--cookie="id=10; PHPSESSID=39qedittgtbc7rfsm69gjvidl0; security=medium" \
--data="id=1&Submit=Submit" \
-p id \
--current-user


sqlmap -u "http://localhost/vulnerabilities/sqli_blind/" \
--cookie="id=10; PHPSESSID=39qedittgtbc7rfsm69gjvidl0; security=medium" \
--data="id=1&Submit=Submit" \
-p id \
--is-dba

To check:

  1. The current user running our queries
     
  2. Whether that user has admin privileges

With an admin account, we could potentially:

  • Upload custom files to the server
  • Create or delete other database accounts
  • Create, run, delete stored procedures
  • etc...

Update your DBMS on a regular basis

Implement proper monitoring & logging

Errors should be logged -- from SQL errors to database administration errors:

  • Failed login attempts
  • Incorrect SQL syntax
  • Attempts to access invalid objects or stored procedures
  • Out of range errors (UNION attacks)
  • Errors involving permissions
  • Errors involving extensions like xp_sendmail, xp_cmdshell, etc...

Data Manipulation Language (DML) and Data Definition Language (DDL) operations should be logged and audited:
 

  • Password changes
     
  • Logins
     
  • Logouts
     
  • Database operations
     
  • Permission changes

Set thresholds to alert admins if there are too many errors (or certain types of errors) in a specified period of time

NoSQL is vulnerable to injections 

SQLi Defense - Database Layer

By Christophe Limpalair

SQLi Defense - Database Layer

  • 459