RE: New Paper - SQL Injection Signatures Evasion Apr 26 2004 08:38AM
Imperva Application Defense Center (adc imperva com)
Dear Mr. Mookhey,

The 'SQL Injection Signatures Evasion' paper is the result of a several
months-long research conducted by Imperva's ADC. This research began
long before the pulibcation of the 'Detection of SQL Injection and
Cross-Site scripting attacks', and was obviously never intended as a
means of countering the validity or necessity of your paper.

The reference to the paper was done exactly for the reasons you have
mentioned in your message. Altough not claiming to be a thorough guide,
the paper you have published is a very important paper, trying to use
the power of regular expressions to yield high coverage of SQL Injection
attacks detection. What we wanted to show was, that even such strong and
elaborate patterns, which would detect most of normal level application
level attacks, can not provide full protection, and will eventually be
bypassed using different evasion techniques (Obviously, once new
techniques are developed, more signatures can be added, but this is the
old cat & mouse game between the security experts and the hackers). Our
paper does not claim that the paper you have published is wrong in any
way or unprofessional. On the contrary, we do believe that this is one
of the best set of signatures we have seen published.

As for Imperva's Application Defense Center, I believe there is some
confusion. Imperva's Application Defense Center is an independant group
within Imperva, which is dedicated to research of new application
security topics, as well as provide application security services, such
as penetration tests. Although Imperva(tm) Inc. is developing such a
product, and although some of its concepts are obviously a result of the
experience of Imperva's ADC, all the research done in Imperva's ADC is
completely independant. The grounds for a new research are usually based
on real world problems we encounter during penetration tests, or other
issues we believe will be interesting to investigate. For these reasons
we will not discuss in this forum the capabilities of Imperva's

P.S., I am cc'ing this to the lists where you have posted it, but also
to webappsec, as I believe that is the proper place for that discussion.

Ofer Maor
Application Defense Center Manager
Phone: +972-3-6120133, Ext. 113
Fax: +972-3-7511133
Web Site:

-----Original Message-----
From: K. K. Mookhey [mailto:cto (at) (dot) in [email concealed]]
Sent: Monday, April 26, 2004 8:32 AM
To: Imperva Application Defense Center
Cc: bugtraq (at) securityfocus (dot) com [email concealed]; secpapers (at) securityfocus (dot) com [email concealed]
Subject: Re: New Paper - SQL Injection Signatures Evasion

This is in response to Imperva's email that it is trivial to evade
signature-based detection of SQL injection. There are a few points I'd
like to respond to in relation to their tone and content of the paper.
Well first lets take the tone:

The abstract of Imperva's paper says, among other things: "Moreover, it
has lately become a common belief that signatures are indeed sufficient
for SQL Injection protection. This belief has been backed up by a
recently published article, describing, allegedly, a thorough guide for
building SQL Injection signatures, in SnortT-like format." The "article"
is of course, the one on 'Detection of SQL injection and Cross-site
scripting attacks" that we wrote for Securityfocus

First of all, this article that we wrote was never intended to be a
"thorough guide" nor did it claim that anywhere in the entire text. In
fact, in the conclusion to that article, we clearly stated: "We
recommend that these signatures be taken as a starting point for tuning
your IDS or log analysis methods, in the detection of these Web
application layer attacks." That surely does not sound like we were
writing a thorough guide :)

Anyways, coming to the technical issues. I do agree that signature-based
detection isn't 100% foolproof. In fact, throughout the article we've
pointed out some signatures that would yield a high number of false
positives, and we've stated that in the conclusion as well. The idea was
to start off on one possible technique to detect web application
attacks. The fact that Snort signatures support Perl compatible regular
expressions (pcre), gives an enormous amount of flexibility in writing
concise signatures that cover a multitude of possibilities. The
signatures that we have listed may not always be directly applicable and
may require the administrator to tune those signatures to their specific

Also in your paper the attacker tries out standard SQL injection
techniques and then moves on to enumeration of the IDS signatures using
a whole bunch of attack signatures, which "...involves a tedious,
methodical process, of trial and error. Autolycus simply takes a list of
the attacks he uses during the hack, and tries them out one by one." In
the real world, it is quite likely that by doing so he would have raised
a huge number of alarms, which a diligent security administrator would
get alerted to. In fact, a large majority of the attacks listed out in
your paper would in fact be detected by these signatures. I won't go in
depth and analyze each evasion technique that you discuss.

But, I do agree that signature-based detection isn't the final word in
application attack detection. Nor is anamoly-based detection, which is
what your product "Imperva Application Defense Center" is based on. I
guess the final word on this subject is still a long way ahead. Maybe
its a product that combines both approaches. I was thinking of a product
that first uses anomaly-based techniques to develop a list of
signatures. Then the administrator has the option to accept or reject
the signatures, especially if they are going to be used for intrusion
*prevention*, rather than just intrusion *detection*. That probably
brings the best of both worlds - a product to analyze and build
signatures that not all administrators would be knowledgeable enough to
do themselves. Then presents a list of these with basic explanation of
what each one does. The administrator or the consultants can train the
product, just like one is supposed to do with an IDS - be it
signature-based or anamoly-based. Just a thought.

Our idea in writing that article was to provide a starting point for IDS
administrators to try and build in application level detection for
almost 99% of typical application attackers. The response that we got
indicated that people took it that way. We had emails of administrators
already having working signatures for Oracle-based SQL injection
attacks, of signatures that worked with mod_security of Apache, and
SecureIIS of Eeye, and feedback on the signatures themselves. Which
confirms my initial thought, that signature-based detection is a
feasible and cost-effective solution, though it will require more study
and better signatures.

I'd welcome a discussion on this topic, maybe on a more appropriate
forum such as webappsec (at) securityfocus (dot) com [email concealed] or focus-ids (at) securityfocus (dot) com [email concealed]


K. K. Mookhey
Network Intelligence India Pvt. Ltd.
Tel: +91-22-22001530/22006019
Security Consultancy Services

> ----- Original Message -----
> From: "Imperva Application Defense Center" <adc (at) imperva (dot) com [email concealed]>
> To: <bugtraq (at) securityfocus (dot) com [email concealed]>
> Sent: Monday, April 19, 2004 2:38 PM
> Subject: New Paper - SQL Injection Signatures Evasion
> Dear List,
> Imperva(tm)'s Application Defense Center has released a new white
> paper.
> The paper, titled 'SQL Injection Signatues Evasion', is based on
> research done at Imperva's ADC, and shows that providing protection
> against SQL injection using signatures alone is not enough. The paper
> demonstrates various techniques that can be used to evade SQL
> injection signatures, including advanced techniques that were
> developed during the research, and explains why it is not possible to
> adequately protect an application against SQL injection using
> signatures only.
> The paper can be viewed at
> (Both HTML and PDF versions are available)
> The paper was written by:
> Ofer Maor, Application Defense Center Manager
> Amichai Shulman, Chief Technology Officer
> Table of Contents
> -----------------
> - Abstract
> - Introduction
> - Recognizing Signature Protection
> - Common Evasion Techniques
> Different Encodings
> White Spaces Diversity
> TCP Fragmentation
> - Advanced Evasion Techniques
> The 'OR 1=1' Signature
> Evading Signatures with White Spaces
> Evading Any String Pattern
> - Conclusion
> - References
> Abstract
> --------
> In recent years, Web application security has become a focal center
> for security experts. Application attacks are constantly on the rise,
> posing new risks for the organization. One of the most dangerous and
> most common attack techniques is SQL Injection, which usually allows
> the hacker to obtain full access to the organization's Database.
> With the rise in SQL Injection attacks, security vendors have begun to

> provide security measures to protect against SQL Injection. The first
> ones to claim such protection have been the various Web Application
> Firewall vendors, followed by most IDS/IPS vendors.
> Most of this protection, however is Signature based. This is obviously

> the case with common IDS/IPS vendors, as they come from the network
> security world, and revolve around signature-based protection.
> However, most of the Web Application Firewalls base their SQL
> Injection protection on signatures as well. This is due to the fact
> that they inspect HTTP traffic only, and are able to look for attack
> patterns only within HTTP traffic. Moreover, it has lately become a
> common belief that signatures are indeed sufficient for SQL Injection
> protection. This belief has been backed up by a recently published
> article, describing, allegedly, a thorough guide for building SQL
> Injection signatures, in Snort(tm)-like format.
> The research done at Imperva's Application Defense Center shows,
> however, that providing protection against SQL Injection using
> signatures only is not enough. This paper demonstrates various
> techniques that can be used to evade SQL Injection signatures,
> including advanced techniques that were developed during the research.
> The paper further demonstrates why these techniques are actually just
> the tip of the iceberg of different evasion techniques, due to the
> richness of the SQL language. Eventually, the conclusion that the
> research leads to is that providing protection against SQL Injection
> using only signatures is simply not practical. A reasonably sized
> signature database will never be complete, while an attempt to create
> a complete comprehensive signature database, even if theoretically
> possible, will yield an amount of signatures that is impossible to
> handle while maintaining a reasonable performance requirement, and is
> likely to generate too many false positives.
> ---
> Application Defense Center
> Imperva(tm) Inc.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus