I do not like the term SQL injection nowadays. I think it must be generalized to query injection. It makes people believe that NoSQL somehow is exempt from such problems.
I agree, I also dislike the term SQL injection. But the problem isn't that there is a query, there problem is that the source code of one program is constructed by string manipulation in the source code of another program. XSS issues (where javascript can be embedded into a string that is supposed to be a value in a HTML document) are the same. Also occurs with shell scripts. The goal has to be to avoid such manual processes. Between lower level languages, it's customary to export a function call in a standard ABI. It should also be the same here: regard queries as function calls in a foreign language. Javascript is basically there, but query languages only have fits and starts (e.g. you often have some syntax like `SELECT * FROM "tbl" where "field" = ?` which can then accept the parameter in a form that is intended for transferring user values) and generally rely on good hygiene and ORMs to protect the end user.
Well this is a buffer overflow attack, not injection, but hey, it's in a SQL program!
Though SQL injection and other injection attacks are definitely not dead. All it takes is one programmer mistake and poof! Lots of XSS rely on accidentally injection of some value. Also hey lots of LLM based attacks are injection. Injection is not dead... oh no oh no
No, it's a desync by integer overflow, there's no overflowing buffer. Due to the incorrect length field, the db server starts parsing the next db protocol message from the middle of attacker-supplied data which gives the attacker control of db commands.
(A case could be made for calling it a buffer underflow maybe?)
I always thought the internet would get more sophisticated and secure as time went on and my days of SQL injection were limited to my teenage years but it seems as the internet becomes more accessible the number of armature developers putting insecure websites up in rising raidly.
Also I get the feeling lot of instruction on topic like SQL Injection is just incorrect or not even best practise anymore. And it keeps being parroted. Like recommending input sanitization. It can be part of solution and probably should consider what to accept on any input. But it is not full or even efficient solution, specially when often it is implemented incorrectly or imperfectly...
So it is complex field and there is always more vectors like this.
> The current way to protect against these attacks is to ensure a size limit on incoming requests. This can be more difficult than you may expect - Paul points out that alternative paths such as WebSockets might bypass limits that are in place for regular HTTP requests, plus some servers may apply limits before decompression, allowing an attacker to send a compressed payload that is larger than the configured limit.
Interesting...a security researcher that thinks it's ok to trust the client.
His point is that adding in a request limit in your server config may not be enough because protocols like websocket might not inherit those size restrictions automatically due to specialized logic for implementing sockets over http.
[+] [-] poincaredisk|1 year ago|reply
SQL injection isn't dead, because I stumble upon a sql injection vulnerability every other day as a part of my job.
[+] [-] cqqxo4zV46cp|1 year ago|reply
[+] [-] plugger|1 year ago|reply
[+] [-] 29athrowaway|1 year ago|reply
[+] [-] colimbarna|1 year ago|reply
[+] [-] simonw|1 year ago|reply
Anyone know if DEF CON publish videos of this kind of session?
[+] [-] Sohcahtoa82|1 year ago|reply
https://www.youtube.com/@DEFCONConference
[+] [-] mmetzger|1 year ago|reply
[+] [-] seeknotfind|1 year ago|reply
Though SQL injection and other injection attacks are definitely not dead. All it takes is one programmer mistake and poof! Lots of XSS rely on accidentally injection of some value. Also hey lots of LLM based attacks are injection. Injection is not dead... oh no oh no
[+] [-] fulafel|1 year ago|reply
(A case could be made for calling it a buffer underflow maybe?)
[+] [-] avery17|1 year ago|reply
[+] [-] yencabulator|1 year ago|reply
[+] [-] Ekaros|1 year ago|reply
So it is complex field and there is always more vectors like this.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] TedDallas|1 year ago|reply
[+] [-] fragmede|1 year ago|reply
[+] [-] boltzmann_|1 year ago|reply
[+] [-] CodeWriter23|1 year ago|reply
Interesting...a security researcher that thinks it's ok to trust the client.
[+] [-] root_axis|1 year ago|reply
His point is that adding in a request limit in your server config may not be enough because protocols like websocket might not inherit those size restrictions automatically due to specialized logic for implementing sockets over http.
[+] [-] Stefan-H|1 year ago|reply
[+] [-] cma|1 year ago|reply