Hi all. Anybody know how can I block some characters for avoid SQL
Injection using Nginx as web server o HTTP reverse-proxy?
Thanks a lot.
Posted at Nginx Forum:
you could use a rewrite. Although that type of protection is better done
at
the script level.
On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:
Hi all. Anybody know how can I block some characters for avoid SQL
Injection using Nginx as web server o HTTP reverse-proxy?
Thanks a lot.
You can’t really, unless you write a custom module. Rewrite rules won’t
help since they don’t deal with the POST body. There may be some filter
module I’m unaware of that could do it, but I’d still suggest you don’t.
It’s much better to simply use software written by moderately capable
developers. SQL-injection is so trivial to avoid at the application
level that it’s borderline unforgivable to find it in a modern web app.
Regards,
Cliff
On Wed, Apr 20, 2011 at 3:22 PM, Cliff W. [email protected] wrote:
level that it’s borderline unforgivable to find it in a modern web app.
Except when it’s that eleventy-hundred-thousand-dollar application you
inherited from a departed CIO, and the vendor releases patches about
once a year, after which you then have to spend hundreds of man-hours
getting them though QA. Usually the app is from a “major enterprise
vendor” which took that departed CIO on a lot of golf trips. Note I am
not talking about Microsoft here - they’re actually saintly by
comparison.
Unfortunately, nginx is not an IPS or a Web Application Firewall. Both
categories can usually handle SQL and javascript injection attacks
with a little configuration. But good devices/software in this
category is very spendy. You may be able to block a specific attack
with some form of Regex filter in Apache, but that will be like
playing whack-a-mole, because there are undoubtedly other holes you
need to plug.
–
RPM
Ryan M. wrote:
module I’m unaware of that could do it, but I’d still suggest you don’t.
vendor" which took that departed CIO on a lot of golf trips. Note I am
Id recommend looking into http://www.greensql.net/ or get layer7
application security provided by radware/juniper
-Payam
Put a daily backup on your databases. 
Regards,
Joe
On Thu, 2011-04-21 at 04:22 +0700, Joe wrote:
Put a daily backup on your databases.
That doesn’t really solve the issue. Once someone has compromised the
database, they can usually leverage that to gain wider system access.
Cliff
On 20 Abr 2011 18h05 WEST, [email protected] wrote:
Hi all. Anybody know how can I block some characters for avoid SQL
Injection using Nginx as web server o HTTP reverse-proxy?
I think that using agentzh and chaoslawfull’s Embedded Lua module
might fit the bill. Although as stated abovd, that’s a hack. The proper
way to do it is at the app level.
— appa
I was easy… So you would use some admins stupidity to backup 23
years of experience? That makes no sense to me but hey its ok, its the
internet after all
Hope you find an answer to your problem
On 4/20/11, Cliff W. [email protected] wrote:
Cliff
no sense
then leveraged this to obtain more sensitive information via social
Regards,
Cliff
nginx mailing list
[email protected]
nginx Info Page
–
Sent from my mobile device
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
Cliff W. wrote:
nginx mailing list
[email protected]
nginx Info Page
how does exploiting your db = wider system breach? sorry but that makes
no sense and ive been doing system/network security & networking for
over 10 years.
a simple “securing db” means nothing, you need to understand that a)
there are different phases and layers in security and b) what are you
protecting, how are you protecting it and at what layer.
anyways, good luck
-Payam
On Wed, 2011-04-20 at 17:43 -0700, Payam C. wrote:
nginx mailing list
[email protected]
nginx Info Pagehow does exploiting your db = wider system breach? sorry but that makes
no sense
Easy. What data does your database store? Quite probably usernames and
passwords. A fundamental truth is that people often use the same
passwords for multiple services. If you can obtain the password for a
company’s CMS or Webmail application, chances are you now have their
password for multiple services.
For a recent and well-publicized example of this type of intrusion,
Members of Anonymous hacked HBGary’s database via a SQL-injection attack
on their CMS, which eventually led to compromised email accounts. They
then leveraged this to obtain more sensitive information via social
engineering (using a stolen email address to get ssh passwords).
and ive been doing system/network security & networking for
over 10 years.
Well, I’ve been doing it for 23 years, so give yourself a little more
time.
Regards,
Cliff
On Thu, Apr 21, 2011 at 8:36 AM, Cliff W. [email protected] wrote:
Easy. What data does your database store? Quite probably usernames and
passwords. A fundamental truth is that people often use the same
passwords for multiple services. If you can obtain the password for a
company’s CMS or Webmail application, chances are you now have their
password for multiple services.
There is a good reason why bcrypt is recommended as password hashing
method.
On Wed, 2011-04-20 at 20:07 -0700, Payam C. wrote:
I was easy… So you would use some admins stupidity to backup 23
years of experience?
The fact that it happened to be the admin who was inept only made the
attack simpler and more direct. It could have been any user’s account.
Any and all information is valuable in compromising a system. Databases
are not only a source, but often the primary source of such
information.
That makes no sense to me but hey its ok, its the
internet after all
Yes, I’m aware it’s often a veritable race to the bottom, no need to
demonstrate.
Hope you find an answer to your problem
I don’t have any problems that I’ve aired in this thread, but thanks.
Cliff
On Thu, 2011-04-21 at 10:40 +0700, Edho P Arief wrote:
On Thu, Apr 21, 2011 at 8:36 AM, Cliff W. [email protected] wrote:
Easy. What data does your database store? Quite probably usernames and
passwords. A fundamental truth is that people often use the same
passwords for multiple services. If you can obtain the password for a
company’s CMS or Webmail application, chances are you now have their
password for multiple services.There is a good reason why bcrypt is recommended as password hashing method.
Yes, adaptive hashes are a huge improvement over the raw MD5/SHA hashes
so many people still use. Still, it’s best if no one gains access to
even try.
Also, for certain application domains, even if you don’t crack the
passwords, just gaining access via SQL injection can lead to immediate
system compromise (hosting control panels, system monitoring tools,
etc).
Regards,
Cliff