1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.
2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.
3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.
If your security strategy relies on one or two security controls, you're doomed most of the time.
We've added SQL filtering as a defense-in-depth measure, having a convenient seat in the architecture, complementing every other mitigation measure proper application developers and DBAs should be doing (and frequently get wrong).
That's why we now have RASP. It's better than SQL proxy and WAF, because you have both the SQL query and the HTTP parameters and you can correlate them to be super accurate
dullgiulio|7 years ago
1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.
2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.
3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.
[1] https://www.akadia.com/services/dyn_modify_where_clause.html
[2] Like linq, jOOQ...
ninegunpi|7 years ago
We've added SQL filtering as a defense-in-depth measure, having a convenient seat in the architecture, complementing every other mitigation measure proper application developers and DBAs should be doing (and frequently get wrong).
Even ORMs get bypassed once in a while:
- https://github.com/mysqljs/mysql/issues/342 - https://github.com/sequelize/sequelize/issues/5671 - (okay, we can avoid this one by saying nothing "nothing proper exists in NodeJS world) https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-all...
Dumb concatenation can nullify the merit of quite advanced ORM: copybook example of misusing Ruby's ActiveRecord (is that proper enough) got as far as OWASP testing guide: https://www.owasp.org/index.php/Testing_for_ORM_Injection_(O...
Prepared statements are cooked wrong as well, but rarely, that's why they are viable line of defense, but not the sole one (as nothing should be):
https://www.reddit.com/r/netsec/comments/ww9qm/sqli_bypassin... https://stackoverflow.com/questions/134099/are-pdo-prepared-...
(in fact, I've seen with my eyes exactly what first comment in reddit postmentions).
all_blue_chucks|7 years ago
Lt_Riza_Hawkeye|7 years ago
For anyone curious why WAFs are so useless, there is a very beginner-accessible talk by Joe McCray here: https://www.youtube.com/watch?v=qBVThFwdYTc
ris|7 years ago
moutix|7 years ago
ninegunpi|7 years ago
1. Insiders having access to database front?
2. Same SQL bypass techniques as employed to bypass WAFs?
3. Mitigate developer errors in query logic which enable custom injections?