As we reported in the previous [Honeypot Alert] WordPress/Joomla/Mambo SQL Injection Scanning Detected alert - we have identified an increase in mass SQL Injection scanning targeting various community components.
While this scanning is still ongoing, we have identified a slight variation if the attack methodology used. Here are examples from today's web server logs:
Can you spot the difference in the SQL Injection payloads?
Mixed-Case Attack Payloads
The attackers are now using mixed-case in the SQL commands.
The purpose of mixing case of these attack payloads is to potentially evade any poorly constructed input validation blacklist filters.
Blacklist filtering is often used as a part of input validation in order to easily block known back payloads. Here is a common blacklist filtering question posed to the community about preventing SQL Injection:
When writing blacklist filters, care should be taken to normalize data to prevent this type of evasion. In theOWASP ModSecurity Core Rule Set, we use two different techniques to handle mixed-case evasions:
Many rules use the "t:lowercase" trasformation function to change all payloads to lowercase before applying the operator check.
While this process works, it does incur a performance hit in latency.
Ignore Case RegEx Flags
The other option is to modify the PCRE regular expression rule itself and apply the "IGNORE_CASE" modifier flag. In ModSecurity, this is accomplished by using one of the following syntaxs:
If you are using any blacklist filtering as part of input validation, I highly suggest you verify how you are handling mixed-case payloads.
SQL Injection Prevention
While blacklist filtering has it uses, it should not be used as the only method of preventing any attacks. Whitelist filtering of input is highly recommended in order to ensure that data is of the correct size, character sets and format.
For SQL Injection, it is recommended that all developers review the OWASP SQL Injection Prevention Cheatsheet which has excellent guidance on properly constructing SQL queries.
출처 : blog.spiderlabs.com