问题
I am studying and researching about different methods of SQL Injection and countermeasures.
Checking HackerOne Hacktivities showed me that it's not enough for a web application to just use a WAF (ex. Cloudfront, cloudflare, Akamai, ...) is not enough because hackers use and build WAF bypass payloads to overcome these technologies to make the attacks successful .
Searched over the internet for Database Firewall keyword but most links were related to Oracle Database firewall .
As I am currently researching about SQL Injection and countermeasures. I am interested to know how can I research and develop a good Database firewall, something that acts like a proxy and analyze SQL Queries with active monitoring engine to monitor & block SQL malicious payloads .
Which methods or techniques in addition with a programming language do you offer me to write such application & do you offer me to start research and writing a low-level application firewall (Like the samples available in windows driver kit) or application layer firewalls?
And in last, can we use Web application firewall term as a term for Database Firewall and what is the differences between them ?
Thanks in advance.
回答1:
I suggest this resource at OWASP, and the presentations it links to. https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project
A WAF can handle many types of security issues, not limited to SQL injection. For example XSS, CSRF, cookie poisoning, etc. These would not necessarily have anything to do with databases.
A Database Firewall is more specifically meant to block or at least detect SQL injection, or equivalent injection if you use a non-SQL database.
Detecting SQL that has been tampered with is difficult. The database firewall products I've read about have a hard time avoiding both false positives (mis-identifying bad content) and false negatives (failing to detect bad content).
Recent versions of the Oracle product have shifted focus toward whitelisting. That is, admit that it's too error-prone to detect bad content algorithmically. Instead, train the database firewall which queries are known to be legitimate for a given app.
This means every time you change the app code and add/remove/modify SQL queries, you have to re-train the db firewall before you deploy, or else legit query traffic will be blocked. This means deploying your app takes more steps, and that adds to complexity and delays deployments.
Whitelisting is also a problem for queries that need to be highly configurable, for example if your app code appends multiple boolean terms in the WHERE clause, or multiple UNION clauses, or run pivot queries where the number of columns is dynamic.
Whitelisting is also not effective if your system uses dynamic SQL in stored procedures, because the queries may be formatted with untrusted content and have SQL injection vulnerabilities. These queries are executed directly within the RDBMS engine, never passing through your database firewall. So there's no way they can be filtered or detected.
ModSecurity is an example of an open-source WAF that includes some SQL injection detection features. It is a module for the Apache http server.
Libinjection is an example of an embeddable SQL parser that can try to detect SQL injection. I haven't used it, but I suspect it suffers from the same uncertainties about accuracy that every other pattern-based method would.
I continue to believe that the best method for defending against SQL Injection is to code defensively. Assume malicious content is incoming, and code either to reject it or to ensure content will be harmless by using SQL query parameters.
来源:https://stackoverflow.com/questions/54637473/writing-a-database-firewall-for-blocking-sql-injection-attacks