SQL Injection Attacks and Defense - 2009

Platform-Level Defenses • Chapter 9 379
release cycle. Legacy applications close to retirement may not warrant the time and effort
required to make the necessary code changes. Organizations may intend to make a code
change, but don’t have the resources in the near term to do so. These common scenarios
highlight the need for runtime protection in the form of virtual patching or band-aid solutions.
Even if the time and resources are available for code fixes, runtime protection can
still be a valuable layer of security to detect or thwart exploitation of unknown SQL
injection vulnerabilities. If the application has never undergone security code review or
penetration testing, application owners might not be aware of the vulnerabilities. There
is also the threat of “zero-day” exploit techniques as well as the latest and greatest SQL
injection worm traversing the Internet. In this way, runtime protection is not just a
reactive defense mechanism, but also a proactive step toward comprehensively securing
an application.
Although runtime protection provides many benefits, you need to consider some of
the costs that may be involved. Depending on the solution, you should expect some level of
performance degradation (as you would expect anytime additional processing and overhead
are incurred). When evaluating a solution, especially a commercial one, it is important to ask
for documented performance statistics. The other point of caution is that some runtime
solutions are more difficult to configure than others. If the solution is overly complex,
the time and resources spent getting it to work may exceed the costs of actually fixing the
code, or worse yet, you may decide not to use it at all. Ensure that the solution you select
comes with detailed installation instructions, configuration examples, and support
(this doesn’t always mean paid support; some free solutions provide good online support
through forums). The key to getting the most out of runtime protection is a willingness
to learn the boundaries of the technology and evaluate how it can best help you.
Web Application Firewalls
The most well-known runtime solution in Web application security is the use of a Web
application firewall (WAF). A WAF is a network appliance or software-based solution that
adds security features to a Web application. Specifically, we’re focusing on what WAFs can
offer in terms of SQL injection protection.
Software-based WAFs are typically modules embedded into the Web server or application
with minimal configuration. Primary benefits of software-based WAFs are that the Web
infrastructure remains unchanged, and HTTP/HTTPS communications are handled
seamlessly because they run inside the Web- or application-hosting process. Appliance-based
WAFs don’t consume Web server resources and they can protect multiple Web applications
of varying technologies. We will not cover network appliances any further, although you can
use some of the software solutions as a network appliance when running on a Web server
configured as a reverse proxy server.