SQLi Defense - Database Layer
Ways of defending databases against SQLi
- Minimize privileges of database accounts
- Update your DBMS on a regular basis
- Implement proper monitoring & logging
- NoSQL databases are also vulnerable
Minimize privileges of database accounts
The application assumes the privileges of a user that was set up for it to use. We want to limit those permissions.
With SQLMap, we could use options such as:
sqlmap -u "http://localhost/vulnerabilities/sqli_blind/" \
--cookie="id=10; PHPSESSID=39qedittgtbc7rfsm69gjvidl0; security=medium" \
--data="id=1&Submit=Submit" \
-p id \
--current-user
sqlmap -u "http://localhost/vulnerabilities/sqli_blind/" \
--cookie="id=10; PHPSESSID=39qedittgtbc7rfsm69gjvidl0; security=medium" \
--data="id=1&Submit=Submit" \
-p id \
--is-dba
To check:
- The current user running our queries
- Whether that user has admin privileges
With an admin account, we could potentially:
- Upload custom files to the server
- Create or delete other database accounts
- Create, run, delete stored procedures
- etc...
Update your DBMS on a regular basis
Implement proper monitoring & logging
Errors should be logged -- from SQL errors to database administration errors:
- Failed login attempts
- Incorrect SQL syntax
- Attempts to access invalid objects or stored procedures
- Out of range errors (UNION attacks)
- Errors involving permissions
- Errors involving extensions like xp_sendmail, xp_cmdshell, etc...
Data Manipulation Language (DML) and Data Definition Language (DDL) operations should be logged and audited:
- Password changes
- Logins
- Logouts
- Database operations
- Permission changes
Set thresholds to alert admins if there are too many errors (or certain types of errors) in a specified period of time
NoSQL is vulnerable to injections