Detecting SQL Injection in a White-box Environment

You're browsing without Javascript! If you have no idea what that means, you should ask your technical friend about it.
Otherwise - kudos. The website should work - with the exception of comments. You can learn what they are; however, by visiting /comments.py?postid=blog-sql_injection_detection
If it doesn't, please contact me and let me know.

07 June 2010 10:14:23 EST

The idea is simple. You want to detect SQL Injection, when you have full access to the code and a QA team. You need to audit massively complex code that spans several servers and involves validation that may be happening on any of them, or the client in javascript. You want to be able to bypass the javascript validation in whole - but not rewrite any javascript or do anything complicated - because you don't want to retrain any QA people - or even have to teach them what SQL Injection is.

The idea is you put a proxy between the client and the web tier that rewrites requests to be an injection, and run a trace on the database to see if the injection ever makes it into the query. It doesn't work in all cases, and sometimes there are better approaches - but it's another option, and it has a few advantages. Check out the article for diagrams, code, and some enhancement ideas.

Comments

/comments.py?postid=blog-sql_injection_detection

Add a comment...

Name: required
E-Mail: required, hidden, gravatared
Website:
Comment: required, markdown enabled (help)

you type:	you see:
italics	italics
bold	bold
[stolen from reddit!](http://reddit.com)	stolen from reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"