编写一个数据库防火墙来阻止 SQL 注入攻击 [英] Writing a database firewall for blocking SQL Injection attacks

问题描述

我正在研究SQL注入的不同方法和对策.

I am studying and researching about different methods of SQL Injection and countermeasures.

检查 HackerOne Hacktivities 向我表明，Web 应用程序仅使用 WAF(例如 Cloudfront、cloudflare、Akamai 等)是不够的，因为黑客使用和构建 WAF 绕过有效载荷来克服这些技术以使攻击成功.

Checking HackerOne Hacktivities showed me that it's not enough for a web application to just use a WAF (ex. Cloudfront, cloudflare, Akamai, ...) is not enough because hackers use and build WAF bypass payloads to overcome these technologies to make the attacks successful .

在互联网上搜索了数据库防火墙关键字，但大多数链接都与 Oracle 数据库防火墙相关.

Searched over the internet for Database Firewall keyword but most links were related to Oracle Database firewall .

因为我目前正在研究 SQL 注入和对策.我很想知道如何研究和开发一个好的数据库防火墙，它像代理一样工作并使用主动监控引擎分析 SQL 查询来监控 &阻止 SQL 恶意负载.

As I am currently researching about SQL Injection and countermeasures. I am interested to know how can I research and develop a good Database firewall, something that acts like a proxy and analyze SQL Queries with active monitoring engine to monitor & block SQL malicious payloads .

除了编程语言之外，您还为我提供哪些方法或技术来编写此类应用程序&您是否愿意让我开始研究和编写低级应用程序防火墙(如 Windows 驱动程序套件中提供的示例)或应用程序层防火墙?

Which methods or techniques in addition with a programming language do you offer me to write such application & do you offer me to start research and writing a low-level application firewall (Like the samples available in windows driver kit) or application layer firewalls?

最后，我们可以使用 Web 应用程序防火墙术语作为数据库防火墙的术语吗?它们之间有什么区别?

And in last, can we use Web application firewall term as a term for Database Firewall and what is the differences between them ?

提前致谢.

推荐答案

我建议在 OWASP 使用此资源，以及它链接到的演示文稿.https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project

I suggest this resource at OWASP, and the presentations it links to. https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project

WAF 可以处理多种类型的安全问题，不仅限于 SQL 注入.比如XSS、CSRF、cookie中毒等，这些不一定和数据库有关系.

A WAF can handle many types of security issues, not limited to SQL injection. For example XSS, CSRF, cookie poisoning, etc. These would not necessarily have anything to do with databases.

数据库防火墙更具体地用于阻止或至少检测 SQL 注入，或者如果您使用非 SQL 数据库则等效注入.

A Database Firewall is more specifically meant to block or at least detect SQL injection, or equivalent injection if you use a non-SQL database.

检测被篡改的 SQL 很困难.我读过的数据库防火墙产品很难避免误报(错误识别不良内容)和漏报(未能检测到不良内容).

Detecting SQL that has been tampered with is difficult. The database firewall products I've read about have a hard time avoiding both false positives (mis-identifying bad content) and false negatives (failing to detect bad content).

Oracle 产品的最新版本已将重点转向白名单.也就是说，承认通过算法检测不良内容太容易出错.相反，训练数据库防火墙，哪些查询对于给定应用是合法的.

Recent versions of the Oracle product have shifted focus toward whitelisting. That is, admit that it's too error-prone to detect bad content algorithmically. Instead, train the database firewall which queries are known to be legitimate for a given app.

这意味着每次更改应用程序代码和添加/删除/修改 SQL 查询时，您都必须在部署前重新训练数据库防火墙，否则合法的查询流量将被阻止.这意味着部署您的应用需要更多步骤，这会增加复杂性并延迟部署.

This means every time you change the app code and add/remove/modify SQL queries, you have to re-train the db firewall before you deploy, or else legit query traffic will be blocked. This means deploying your app takes more steps, and that adds to complexity and delays deployments.

对于需要高度可配置的查询，白名单也是一个问题，例如，如果您的应用程序代码在 WHERE 子句或多个 UNION 子句中附加多个布尔术语，或者在列数是动态的情况下运行数据透视查询.

Whitelisting is also a problem for queries that need to be highly configurable, for example if your app code appends multiple boolean terms in the WHERE clause, or multiple UNION clauses, or run pivot queries where the number of columns is dynamic.

如果您的系统在存储过程中使用动态 SQL，白名单也无效，因为查询的格式可能包含不受信任的内容并且存在 SQL 注入漏洞.这些查询直接在 RDBMS 引擎内执行，永远不会通过您的数据库防火墙.因此无法过滤或检测它们.

Whitelisting is also not effective if your system uses dynamic SQL in stored procedures, because the queries may be formatted with untrusted content and have SQL injection vulnerabilities. These queries are executed directly within the RDBMS engine, never passing through your database firewall. So there's no way they can be filtered or detected.

ModSecurity 是一个包含一些 SQL 注入检测功能的开源 WAF 示例.它是 Apache http 服务器的模块.

ModSecurity is an example of an open-source WAF that includes some SQL injection detection features. It is a module for the Apache http server.

Libinjection 是可尝试检测 SQL 注入的可嵌入 SQL 解析器的示例.我没有使用过它，但我怀疑它与所有其他基于模式的方法在准确性方面存在同样的不确定性.

Libinjection is an example of an embeddable SQL parser that can try to detect SQL injection. I haven't used it, but I suspect it suffers from the same uncertainties about accuracy that every other pattern-based method would.

我仍然相信防御 SQL 注入的最佳方法是防御性编码.假设传入了恶意内容，然后使用 SQL 查询参数来拒绝它或确保内容无害.

I continue to believe that the best method for defending against SQL Injection is to code defensively. Assume malicious content is incoming, and code either to reject it or to ensure content will be harmless by using SQL query parameters.

这篇关于编写一个数据库防火墙来阻止 SQL 注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！