Re: Slow down blind SQL injection

[Tiago Batista <tiagosbatista () gmail com>]

Thank you all for your input, this cleared my head about the subject.

I do agree that artificially slowing down the user is not a good idea,
but I was more interested on watching the result of the tristate answer
(yes/no/slow down) would have on the tools of the trade. I guess, I
better get some time and set up a testbed :)

As Francois pointed out, the tool has lots of time!

Again, thank you all for your input

Tiago

On Tue, 9 Oct 2007 23:51:56 -0400
Simon <simon.xhz () gmail com> wrote:

> Hi,
>   I think it is bad to use the "timing" information of requests to
> start counter-attacks (such as slowing down, or sending a message to
> the user, etc).  But it could be useful to log such thing or popup an
> alert to a human operator.  The alert would say something like
> "User1234 session start 3 min ago; delay between requests <1second
> (0.343sec); alarm #4 for this user"
>
> If it happens once, you can assume the user is a real human, if it
> happens lots you can assume there might be automation tools involved.
>
> Moving fast through HTML forms is not to be considered harmful in any
> case, it is most certainly convenient for the user!
>
> HTH,
>   Simon
>
> On 10/9/07, Francois Larouche
> <francois.larouche-ml () sqlpowerinjector com> wrote:
> > Hi,
> >
> > I completely agree with Shulman, a user especially if it's an
> > important one (director and above, or worst a important customer)
> > won't look at this "special protection" feature that impedes on the
> > normal process of the application with a good eye. Time is money.
> > And in the other hand a automated tool won't care about that delay
> > anyways. I know that my tool doesn't care about time delay, I can
> > just start it and go work on something else and just be patient. If
> > it takes 2 hours to get the admin credentials instead of 15
> > minutes? Who cares, I still got it, no? :) And even better, now the
> > network administrator won't be alarmed by a cluster of crazy number
> > of requests made about the same time.
> >
> > In any cases, by personal experience most of the time if there is a
> > spot with blind sql injection then the chances are high that
> > somewhere else there is a place where you can reflect data in much
> > fastest way. (with UNION or in an sql genered error reflected by
> > the webpage such as or 1 in (SELECT user)) So it defeats all the
> > efforts you put in, and only succeeded to eventually reduce the
> > user experience.
> >
> > It's good that you try to find solutions but just beware to not
> > make the security solution more important than the business. My
> > personal advice is try to find a solution that will be as
> > transparent as possible to the user.
> >
> > Cheers,
> >
> > Francois
> > > Hi,
> > >
> > > I believe this solution is a bit problematic.
> > > Cosider a scenario of a user not remembering the right username or
> > > password, and retyping several times or a user that is not
> > > familiar with a keyboard and inserting typos unintentionally.
> > > Your suggestion is to mistakenly interpret such user as an
> > > attacker performing SQL Injection queries?
> > >
> > > In addition an attacker that is determined to hack your site will
> > > tolerate the "slow down" however the user will not tolerate those.
> > >
> > > I do not see how much you can profit out of this solution and if
> > > you happen to think of a different alternative please update
> > > (sounds like a good research idea).
> > >
> > > Best Regards,
> > > S.H.
> > >
> > >
> > >
> > > > From: Tiago Batista <tiagosbatista () gmail com>
> > > > To: security-basics () securityfocus com
> > > > Subject: Slow down blind SQL injection
> > > > Date: Wed, 3 Oct 2007 04:11:30 +0100
> > > >
> > > > Hello all
> > > >
> > > > Today I was barainstorming and came up with an idea that my help
> > > > slow down blind sql injection on a web application.
> > > >
> > > > I remembered that usually a user will read a page before
> > > > subbmiting a new query, and that takes time, so why not keep a
> > > > timestamp on the user session and enforce some time between
> > > > queries?
> > > >
> > > > I did not search to find out if some applications out there are
> > > > using this, but I would like your input on the folowig:
> > > >
> > > > 1. depending on the timestamp, do you think the users will be
> > > > very anoyed at some error asking them to try again in a few
> > > > seconds?
> > > >
> > > > 2. given that most automated SQL injectors deped on a boolean
> > > > result form the query, and this ends up serving a thrid page,
> > > > how much will this confuse those tools?
> > > >
> > > > 3. Assuming that the pogrammer will log several attempts, will
> > > > this help to find and correct blind injection points?
> > > >
> > > > Thank you all
> > > >
> > > > Tiago
> > >
> > > _________________________________________________________________
> > > FREE pop-up blocking with the new MSN Toolbar - get it now!
> > > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/