Security Basics mailing list archives
Re: Slow down blind SQL injection
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Tue, 09 Oct 2007 11:37:49 -0700
Hi,I completely agree with Shulman, a user especially if it's an important one (director and above, or worst a important customer) won't look at this "special protection" feature that impedes on the normal process of the application with a good eye. Time is money. And in the other hand a automated tool won't care about that delay anyways. I know that my tool doesn't care about time delay, I can just start it and go work on something else and just be patient. If it takes 2 hours to get the admin credentials instead of 15 minutes? Who cares, I still got it, no? :) And even better, now the network administrator won't be alarmed by a cluster of crazy number of requests made about the same time.
In any cases, by personal experience most of the time if there is a spot with blind sql injection then the chances are high that somewhere else there is a place where you can reflect data in much fastest way. (with UNION or in an sql genered error reflected by the webpage such as or 1 in (SELECT user)) So it defeats all the efforts you put in, and only succeeded to eventually reduce the user experience.
It's good that you try to find solutions but just beware to not make the security solution more important than the business. My personal advice is try to find a solution that will be as transparent as possible to the user.
Cheers, Francois
Hi, I believe this solution is a bit problematic.Cosider a scenario of a user not remembering the right username or password, and retyping several times or a user that is not familiar with a keyboard and inserting typos unintentionally. Your suggestion is to mistakenly interpret such user as an attacker performing SQL Injection queries?In addition an attacker that is determined to hack your site will tolerate the "slow down" however the user will not tolerate those.I do not see how much you can profit out of this solution and if you happen to think of a different alternative please update (sounds like a good research idea).Best Regards, S.H.From: Tiago Batista <tiagosbatista () gmail com> To: security-basics () securityfocus com Subject: Slow down blind SQL injection Date: Wed, 3 Oct 2007 04:11:30 +0100 Hello all Today I was barainstorming and came up with an idea that my help slow down blind sql injection on a web application. I remembered that usually a user will read a page before subbmiting a new query, and that takes time, so why not keep a timestamp on the user session and enforce some time between queries? I did not search to find out if some applications out there are using this, but I would like your input on the folowig: 1. depending on the timestamp, do you think the users will be very anoyed at some error asking them to try again in a few seconds? 2. given that most automated SQL injectors deped on a boolean result form the query, and this ends up serving a thrid page, how much will this confuse those tools? 3. Assuming that the pogrammer will log several attempts, will this help to find and correct blind injection points? Thank you all Tiago_________________________________________________________________FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Current thread:
- Slow down blind SQL injection Tiago Batista (Oct 02)
- <Possible follow-ups>
- Slow down blind SQL injection Tiago Batista (Oct 03)
- RE: Slow down blind SQL injection iOla Shulman (Oct 09)
- Re: Slow down blind SQL injection Francois Larouche (Oct 09)
- Re: Slow down blind SQL injection Simon (Oct 09)
- Re: Slow down blind SQL injection Tiago Batista (Oct 09)
- RE: Slow down blind SQL injection iOla Shulman (Oct 09)