SQL Injection Attacks and Defense - 2009

378 Chapter 9 • Platform-Level Defenses
Introduction
In Chapter 8, we discussed practices and defenses that you can employ at the code level
to prevent SQL injection. In this chapter, we’ll shift our focus to platform-level defenses
that detect, mitigate, and prevent SQL injection. A platform-level defense is any runtime
enhancement or configuration change that can be made to increase the application’s
overall security. The scope of protection we’ll cover in this chapter varies; however, as a
whole the techniques we’ll discuss can help you to achieve a multilayered security
architecture.
First we’ll examine runtime protection technologies and techniques, such as Web server
plug-ins and leveraging application framework features. We’ll follow this with strategies for
securing the data in the database, as well as the database itself, to help reduce the impact
of exploitable SQL injection vulnerabilities. Lastly, we’ll look at what you can do at the
infrastructure level to reduce the threat.
It is important to remember that the solutions discussed in this chapter are not a
substitute for writing secure code, but are complementary. A hardened database does not
stop SQL injection, but makes it significantly more difficult to exploit. A security filter
can serve as a virtual patch between vulnerability detection and code correction as well
as a formidable defense against zero-day threats, such as the “uc8010” automated SQL
injection attack that infected well over 100,000 Web sites in a few days. Platform-level
security is an important component to the overall security strategy for both existing and
new applications.
Using Runtime Protection
In this section, we’ll consider runtime protection to be any security solution that you can
use to detect, mitigate, or prevent SQL injection that is deployable without recompiling
the vulnerable application’s source code. The solutions covered here are primarily software
plug-ins for Web servers and development frameworks (e.g., the .NET Framework, J2EE,
PHP, etc.) or techniques for leveraging/extending features of the Web or application
platform. Most of the software solutions we’ll discuss are free and are available for download
on the Internet. We will not cover commercial products, although some may implement
one or more of the strategies and techniques discussed here.
Runtime protection is a valuable tool for mitigating and preventing exploitation of known
SQL injection vulnerabilities. Fixing the vulnerable source code is always the ideal solution;
however, the development effort required is not always feasible, practical, cost-effective, or
unfortunately a high priority. Commercial off-the-shelf (COTS) applications are often
purchased in compiled format, which eliminates the possibility of fixing the code. Even if
uncompiled code is available for a COTS application, customizations may violate support
contracts and/or prevent the software vendor from providing updates according to its normal