Snort mailing list archives
Re: Generic SQL injection false positives
From: Matt Olney <molney () sourcefire com>
Date: Tue, 29 Dec 2009 16:15:41 -0500
Morning exploded, but I wanted to put out some normalization data (see below for test output): 1) We normalize %20 to a space 2) We normalize %3d into a = 3) We do not normalize /**/ (or /* */) 4) We do not normalize + 5) We do not normalize ++ Remember, the normalization that occurs in the URI is for HTTP data normalization (%20, ../../../, etc...) not for database normalization. So to handle these cases, we'd have to do some PCRE, or write an SO rule. I'm not done looking over all this, but I thought you might be interested in the data. Matt ****** BUFFER INFORMATION ****** [RAW BUFFER DATA (0xab9b948)]: 47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64 GET /cgi-bin/bad 73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68 store.cgi?search 71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25 query=joe'+OR+1% 33 44 31 2b 4f 52 2b 27 6d 61 72 79 26 61 63 74 3D1+OR+'mary&act 69 6f 6e 3d 73 65 61 72 63 68 26 78 3d 30 26 79 ion=search&x=0&y 3d 30 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 =0 HTTP/1.1..Hos [HTTP_URI BUFFER DATA (0x8ab9aa0)]: /cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+'mary&action=search&x=0&y=0 /**/ comment in the middle: ****** BUFFER INFORMATION ****** [RAW BUFFER DATA (0x9b92948)]: 47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64 GET /cgi-bin/bad 73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68 store.cgi?search 71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25 query=joe'+OR+1% 33 44 31 2b 4f 52 2b 2f 2a 2a 2f 27 6d 61 72 79 3D1+OR+/**/'mary 26 61 63 74 69 6f 6e 3d 73 65 61 72 63 68 26 78 &action=search&x 3d 30 26 79 3d 30 20 48 54 54 50 2f 31 2e 31 0d =0&y=0 HTTP/1.1. [HTTP_URI BUFFER DATA (0x8ab9aa0)]: /cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+/**/'mary&action=search&x=0&y=0 Percent 20 in the middle of the comment: ****** BUFFER INFORMATION ****** [RAW BUFFER DATA (0xa5ff948)]: 47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64 GET /cgi-bin/bad 73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68 store.cgi?search 71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 31 25 query=joe'+OR+1% 33 44 31 2b 4f 52 2b 2f 2a 25 32 30 2a 2f 27 6d 3D1+OR+/*%20*/'m 61 72 79 26 61 63 74 69 6f 6e 3d 73 65 61 72 63 ary&action=searc 68 26 78 3d 30 26 79 3d 30 20 48 54 54 50 2f 31 h&x=0&y=0 HTTP/1 2e 31 0d 0a 48 6f 73 74 3a 20 31 30 2e 34 2e 31 .1..Host: 10.4.1 [HTTP_URI BUFFER DATA (0x8ab9aa0)]: /cgi-bin/badstore.cgi?searchquery=joe'+OR+1=1+OR+/* */'mary&action=search&x=0&y=0 ****** BUFFER INFORMATION ****** [RAW BUFFER DATA (0x9eca948)]: 47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 62 61 64 GET /cgi-bin/bad 73 74 6f 72 65 2e 63 67 69 3f 73 65 61 72 63 68 store.cgi?search 71 75 65 72 79 3d 6a 6f 65 27 2b 4f 52 2b 2b 31 query=joe'+OR++1 25 33 44 31 2b 4f 52 2b 2f 2a 25 32 30 2a 2f 27 %3D1+OR+/*%20*/' 6d 61 72 79 26 61 63 74 69 6f 6e 3d 73 65 61 72 mary&action=sear 63 68 26 78 3d 30 26 79 3d 30 20 48 54 54 50 2f ch&x=0&y=0 HTTP/ 31 2e 31 0d 0a 48 6f 73 74 3a 20 31 30 2e 34 2e 1.1..Host: 10.4. [HTTP_URI BUFFER DATA (0x8ab9aa0)]: /cgi-bin/badstore.cgi?searchquery=joe'+OR++1=1+OR+/* */'mary&action=search&x=0&y=0
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: Generic SQL injection false positives, (continued)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Guise McAllaster (Dec 28)
- Re: Generic SQL injection false positives Graham Bignell (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Guise McAllaster (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Matt Olney (Dec 28)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 28)
- Re: Generic SQL injection false positives Guise McAllaster (Dec 29)
- Re: Generic SQL injection false positives Matt Olney (Dec 29)
- Re: Generic SQL injection false positives Paul Schmehl (Dec 29)
- Re: Generic SQL injection false positives Matt Olney (Dec 29)
- Re: Generic SQL injection false positives Guise McAllaster (Dec 29)