Mysql-Proxy Heuristic SQL Injection Detection
August 5th, 2008 | by Stefan Esser |“MySQL Proxy is a simple program that sits between your client and MySQL server(s) that can monitor, analyze or transform their communication. Its flexibility allows for unlimited uses; common ones include: load balancing; failover; query analysis; query filtering and modification; and many more.”
The flexibility of MySQL Proxy is based on the fact that every aspect is scriptable with Lua. Because I am new to MySQL Proxy and the Lua language I tried to implement a very simple script that waits for incoming SQL queries, tokenizes them and tries to detect SQL Injection heuristically by searching for certain disallowed SQL functions, databases, tables, statements or comments. When an SQL query is believed to contain an SQL injection is it not executed and a “Possible SQL injection” error is returned.
You can grab the detect_sql_injection.lua script at
http://www.suspekt.org/downloads/detect_sql_injection.lua.gz
If you are interested in this and german speaking you might also be interested in next week’s MySQL webinar “Bau sicherer LAMP Anwendungen” where I will not only discuss this little Lua script but also another one that implements SQL injection detection by query structure learning.
5 Responses to “Mysql-Proxy Heuristic SQL Injection Detection”
By Johny on Aug 5, 2008 | Reply
Sounds like an Interesting opportunity in SQL Protection specially if you are not able to review all the code running from the database and prevent injection by code maybe just somebody else did.
Will there be a summary or record of your webinar available, cause i will not be able to visit. Deutsch ist auch okay
By Christopher on Aug 5, 2008 | Reply
Lua is not an acronym, it’s a portuguese word meaning moon.
By Stefan Esser on Aug 15, 2008 | Reply
The webinar will be downloadable on the MySQL website. I will post a link to my blog when it is online.