RE: Slow down blind SQL injection

["iOla Shulman" <truerandom () hotmail com>]

Hi,

I believe this solution is a bit problematic.
Cosider a scenario of a user not remembering the right username or password, 
and retyping several times or a user that is not familiar with a keyboard 
and inserting typos unintentionally.
Your suggestion is to mistakenly interpret such user as an attacker 
performing SQL Injection queries?

In addition an attacker that is determined to hack your site will tolerate 
the "slow down" however the user will not tolerate those.

I do not see how much you can profit out of this solution and if you happen 
to think of a different alternative please update (sounds like a good 
research idea).

Best Regards,
S.H.



> From: Tiago Batista <tiagosbatista () gmail com>
> To: security-basics () securityfocus com
> Subject: Slow down blind SQL injection
> Date: Wed, 3 Oct 2007 04:11:30 +0100
>
> Hello all
>
> Today I was barainstorming and came up with an idea that my help slow
> down blind sql injection on a web application.
>
> I remembered that usually a user will read a page before subbmiting a
> new query, and that takes time, so why not keep a timestamp on the user
> session and enforce some time between queries?
>
> I did not search to find out if some applications out there are using
> this, but I would like your input on the folowig:
>
> 1. depending on the timestamp, do you think the users will be very
> anoyed at some error asking them to try again in a few seconds?
>
> 2. given that most automated SQL injectors deped on a boolean result
> form the query, and this ends up serving a thrid page, how much will
> this confuse those tools?
>
> 3. Assuming that the pogrammer will log several attempts, will this
> help to find and correct blind injection points?
>
> Thank you all
>
> Tiago

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/