Injection Nation

I’m somewhat surprised to see a lack of Oracle blogging reaction to the recent post on The Daily WTF which goes into great detail on a case of SQL injection.  Maybe we’ve either become tired of it or we assume that “my systems don’t do that!”.

So, how do you audit or track if your system is being hit by injection?  How would you detect it?  Assume you’re “just a DBA” — and no one tells you about applications being deployed that talk to the database.  Is there a way you could tell just by looking from within the database?  What kind of assumptions would you make?

One Response to “Injection Nation”

  1. Brian Kush Says:

    Two initial thoughts come to mind, but neither would be foolproof.

    You could monitor the system and kick out a report each day of “new” SQL that the database sees. When you first run the report it would not be of much use since every statement would be showing up as new. Over time if you are not adding new code and you use good coding standards like bind variables, the number of statements should go down and at some point would stop. With a shorter report each day you may be able to spot someone hacking away at your system by analyzing the statements that show up.

    You might want to automatically scan the report for queries that go after objects that applications should not try to access like system objects or tables like dba_%.

    Another way you may want to look for rogue SQL it is to put a tag into all SQL statements that a hacker might not think to replicate in his query. You might start all SQL statements with something like “SELECT /* x */ …..” A hacker might not notice that the /* x */ is your special code that if a statement does not have it causes it to get flagged. You could also use that code to identify the module that it came from.

    My bet is a hacker once given a SQL prompt or SQL access is not going to worry about properly formatting his or her code.

    I can’t remember if you can put a hidden character in the comment, but if you can you could put a ^g or something like that in there that you could not see on the web page.

Leave a Reply

Posting code can be a pain. To make sure your code doesn't get eaten, you may want to pre-format it first by using HTML Encoder