Fork me on GitHub

SQLi Attack Detection v0.1

SQL injection attacks (SQLi) are common web attacks that consist in injecting SQL commands through http requests, enabling thus sensitive data disclosure or authentication scheme bypass. SQLi are the most dangerous software attacks according to the SANS Institute ranking.

The following figure shows an example of SQL injection attack where the supplied input (blue) allows bypassing the authentication scheme because the request will always be evaluated to "true" after data injection.

sqlinject

Thanks to Haka, it is possible to quickly write security rules to block this kind of attacks. For instance, the following rule updates a score whenever an SQL keyword is found in the uri and raises an alert if this score exceeds a fixed threshold. This rule shows also Haka capabilities to log suspicious event (passive reaction) and to drop malicious connections (active reaction).

local keywords = { 'select', 'insert', 'update', 'delete', 'union' }

haka.rule{
    hooks = { 'http-request' },
    eval = function (self, http)
        local score = 0
        -- http fields (uri, headers) are available through 'request' field
        local uri = http.request.uri

        for _, key in ipairs(keywords) do
            -- Check the whole uri against the list of malicious keywords
            if uri:find(key) then
                -- Update the score
                score = score + 4
            end
        end

        if score >= 8 then
            -- Raise an alert if the score exceeds a fixed threshold (compact format)
            haka.alert{
                description = string.format("SQLi attack detected with score %d", score),
                severity = 'high',
                confidence = 'low',
            }
            http:drop()
        end
    end
}

More advanced rules are given in the SQLi tutorial. Diving into this tutorial will show you how to :

  • Defeat evasion techniques by applying decoding functions on the uri
  • Have a fine-grained analysis by checking SQL keywords in precise locations of the http request
  • Avoid analysis of known safe resources (whitelisting)
  • Etc