‘SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement’

Summary

The article linked at this advisory presents a method to protect from SQL injection attack. The method involves using a virtual database connectivity drive as well as a special method named variable normalization to extract the basic structure of a SQL statement so that we could use that information to determine if a SQL statement is allowed to be executed. The method can be used in most scenarios and does not require changing the source code of database applications (i.e. the CGI web application). The presented method can also be used for auto-learning the allowable list of SQL statements, which makes the system very easy to setup. And since the decision of whether a SQL statement is allowed is to check if the normalized statement exists in our ready-sorted allowable list, the overhead of the system is very minimal.’

Credit:

‘The information has been provided by Sam M.S. NG.
The original article can be found at: http://www.sqlblock.com/sqlblock.pdf


Details

Conclusion:
We presented variable normalization for SQL statements, which can extract the basic structure of a SQL statement. If SQL injection happens, the structure of the SQL statement will be altered and hence normalized SQL statement will also be altered and we will be able to detect it. We use this method to implement SQLBlock, a database connectivity layer proxy driver that can block SQL injection attacks.

SQLBlock has very minimal overall performance impact. Theoretically, it works will all database servers without the need to change the client source code. Auto-learning the allowable list makes the system easy to deploy even for complex clients that will issue many different SQL commands. And since SQLBlock is a connectivity layer proxy, it works even for SSL web applications. We believe SQLBlock is an effective and practical solution to solve this class of attacks.’

Categories: Reviews