Wednesday, March 17, 2010

FSM for SQL injection

SQL Injection attack is found to be one of the most vulnerable in the case of websites. Identity thefts seem to be happening often due to the support of the attack.
Hence the white paper "The SQL Injection and Signature Evasion" discusses the possible evasion techniques that are prevalent and also quotes how the products of Impervia may suit protection against them.

Our focus here is mainly to understand the various evasion techniques available. This is done by using the SQL injection example quoted by them, drawing FSM for the situation and deriving test cases and checking if the specific evasion flow could be identified from the list of test cases drawn for the situation.

The example used in the paper is a SQL injection attack on a healthcare website
--> one of the module lists the SSN of all the family members based on the gender
If the query is genuine, then the web address looks like
http://www.superhealth.com/show_members.asp?gender=m

and the query looks like
selet SSN, Name from PATIENTS where FAMILY = XXX and gender='m'

This indicates that the query is done at particular family level and that the person trying to retrieve the information should have permission to perform the query. So based on this initial understanding we can try to come up with rule sets that the IDS system should be have been built upon to prevent a basic attack. Lets not worry about the evasion or any problem associated there-off.

r1 --> user login attempt with username
r2 --> user login attempt with password
r3 --> guest user / no login required / can access the website login page ... and browse through for information on the products that are available etc ... and plan for registration
r4 --> registered user logs in successful/ login attempt succeeded
r5 --> registered user login attempt failed
r6 --> registered user query database for SSN information for their family/ no alarm raised
r7 --> guest user query database for SSN information for their family / alarm should be raised
r8 --> server decodes the query to assess the quality and genuineness of it/ responds back

some tips on IPS testing from CISCO
http://www.cisco.com/web/about/security/intelligence/cwilliams-ips.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)