Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SQL-RISC        New Directions in SQLi PreventionNick Galbreath                      RSA 2013-02-27
SQL-RISC:    NEW DIRECTIONS IN SQLI    DETECTION AND    PREVENTION    Nick Galbreath    IPONWEB►    Session ID:   ASEC-­‐W...
Latest version of these slides:http://client9.com/20130227/                   Tweet tweet: @ngalbreath                    ...
What if we could substantiallyreduce the SQLi attack surface    of a web application?            @ngalbreath
without new hardware orfirewalls?           @ngalbreath
without application changes?           @ngalbreath
and comes withfree SQLi attackmonitoring?            @ngalbreath
Wild Speculation?    @ngalbreath
A Brief History ofSQL
1970s: SQL Invented► Hey thats 40 years ago.► "Structured Query Language"► Why is it still around and so popular?► Exercis...
1972: Oracle Releases the FirstCommercial Database   Also, Coppola releases The Godfather               @ngalbreath
Remember the 80s?                  ► Networking sucked!                  ► TCP/IP not widespread                  ► Comput...
Centralize► Move computation as close as possible to the data► Move to super-servers► Have cheap/dumb clients             ...
1988: Oracle V6►   The Database is now a full programming environment►   Unicode/UTF8 not standard►   Complexity explosion...
And then the 1990s  ►   TCP/IP  ►   Cheap CPUs  ►   Web Browsers  ►   Attaching databases      to public networksThis is w...
2000+ Web Scale► Discovery that data problems are a lot more painful  than CPU problems.► Turns out disk drives are mechan...
SQL isnt going anywhere► For front-ends, general trend is federating data across  cheap machines, using stripped down SQL►...
SQLS DARK                  CORNERS► bit.ly/UkQd7Z
SQL is Huge►   40+ years of built up crud►   1992 spec is 625 pages of plain text►   2003 spec is 128 pages of BNF►   No o...
SQL Integer Forms• [0-9]+• 0x[0-9a-fA-F]+ 0xDEADbeef   MySQL, MSSQL   0x is case sensitive• 0x MSSQL only• xDEADbeef PgSQL...
SQL Floating Point Forms►   digits►   digits[.]►   digits[.]digits►   digits[eE]digits►   digits[eE][+-]digits►   digits[....
SQL Money Literals►   MSSQL has a money type.►   -$45.12►   $123.0►   +$1,000,000.00 Commas ignored►   Many symbols are ac...
SQL Ridiculous Operators▶ != not equals, standard▶ <=> mysql▶ <> mssql▶ ^= oracle▶ !>, !< not less than mssql▶ / oracle▶ !...
SQL Strings, Charset & Comments                        Such a tangled mess,                        I defer to my DEFCON   ...
SQLi Detection
Keyword Detection    s/UNION.ALL/i► The dumbest possible regexp.► Ive used this regexp as a goof for a while,  but oddly w...
By Using Regular ExpressionsTrying to catch more SQLi attacks leads to the question ofis user input SQLi or not? Using reg...
libinjectionFirst presented atBlack Hat USA 2012http://client9.com/20120725   iSEC Partners party at Bellagio
libinjection▶ Takes input and create tokens as if it SQL▶ Compares first 5 tokens to   "things that match SQLi"▶ 50k+ SQLi ...
Why do we have UNION at all?        ▶   http://www.deepthoughtsbyjackhandey.comand what else do I, the developer, never us...
Lets use libinjection to find   features of SQL used in   SQLi!► Thats what I wrote in the abstract.► Turns out to be not n...
A Highly Unscientific collection of    50,000+ SQLi attacks collected    from actual attacks, scanners,    how to guides, e...
SQL used in SQLi       union                    75% comments (any type)            70%     concat, etc                23% ...
95% reduction in SQLiBy eliminating the following in SQL:     ➡unions     ➡comments     ➡subselectsMore than 95% of all SQ...
98+% reduction in SQLi► By eliminating the remaining unusual SQL, more than  98% of SQLi samples were prevented or rejecte...
And of the course the obviousNot represented by frequency, but all database extensionsthat allow shell commands, networkin...
Introducing SQL-RISC    I call this simplified SQL –    SQL that limits SQLi damage --    SQL-RISC in honor of RISC computi...
Feasibility:Can public applicationsrun using SQL-RISC?
Can we replace unions?► Strongly suspect most? many? websites do not use  unions.► All unions can be rewritten into two qu...
Can we remove SQLcomments?► Uhh, I have a hard time getting developers to write any  comments, let alone comments in SQL.►...
Can we replace SQL subselects?► All subselects can be re-written as joins , with almost  no application level code changes...
Can we replace SQL string functions?► Including: substring, concatenation, encoding,  encrypting, char functions, replacem...
Other SQL Functionssleep/waitfor/shutdown   3.2%    Having a hard time seeing anyin boolean mode          1.7%    need for...
Enterprise Apps► If SQL-RISC were implemented as a separate client,  then  ► public apps could use SQL-RISC  ► internal ap...
SQL-RISCBenefits
Fixing SQLi the Old Way► Ensuring that every user input is  properly validated is intractable  (true, some frameworks help...
Fixing SQLi using SQL-RISC► Using SQL-RISC may some require some application  changes, however, this is  a greppable finite...
Auto-Detecting AttacksBy using SQL-RISC, critical SQLi features are de-activated.           SQLi Attacks             turn ...
SQL Syntax Errors are   Easy to Monitor    ► SQL Syntax errors are annoying but harmless, and are put into      logs (data...
But wont attackers just use another part of SQL?Of course they will!This is not a 100% solution but provides a good start ...
Next Steps             食品サンプル
Proof of Concept Patch► Making a source code patch to deactivating functions  and features should be a relatively simple t...
Access Control► However, best done via access control.► Different clients could enable or disable SQL functions  and featur...
Closed-Source► I challenge you!► Provide controls for advanced SQL features or provide  a simplified parser option.        ...
Lets Eat! ► Help wanted! ► contact me nickg@client9.com ► libinjection home page:   http://client9.com/libinjection    htt...
Upcoming SlideShare
Loading in …5
×

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013

1,664 views

Published on

What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?

First presentated at RSA Conference USA, 2013-02-27

Published in: Technology
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • 2013-02-27: added slides on 'does this prevent everything'
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • 2013-02-27: added slide on 'obvious' things to disable: xp_cmdshell, etc.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013

  1. 1. SQL-RISC New Directions in SQLi PreventionNick Galbreath RSA 2013-02-27
  2. 2. SQL-RISC: NEW DIRECTIONS IN SQLI DETECTION AND PREVENTION Nick Galbreath IPONWEB► Session ID: ASEC-­‐W23► Session Classification: Advanced
  3. 3. Latest version of these slides:http://client9.com/20130227/ Tweet tweet: @ngalbreath Originally presented at: RSA Conference USA Moscone Center San Francisco, California February 27, 2013 10:40 AM, Room 132
  4. 4. What if we could substantiallyreduce the SQLi attack surface of a web application? @ngalbreath
  5. 5. without new hardware orfirewalls? @ngalbreath
  6. 6. without application changes? @ngalbreath
  7. 7. and comes withfree SQLi attackmonitoring? @ngalbreath
  8. 8. Wild Speculation? @ngalbreath
  9. 9. A Brief History ofSQL
  10. 10. 1970s: SQL Invented► Hey thats 40 years ago.► "Structured Query Language"► Why is it still around and so popular?► Exercise for the reader: Pick any query you like, and write the equivalent in your favorite programming language.► SQL is scriptable data structures. @ngalbreath
  11. 11. 1972: Oracle Releases the FirstCommercial Database Also, Coppola releases The Godfather @ngalbreath
  12. 12. Remember the 80s? ► Networking sucked! ► TCP/IP not widespread ► Computers are fragile, expensive and slow ► Shoulder-pads so what do you do? @ngalbreath
  13. 13. Centralize► Move computation as close as possible to the data► Move to super-servers► Have cheap/dumb clients @ngalbreath
  14. 14. 1988: Oracle V6► The Database is now a full programming environment► Unicode/UTF8 not standard► Complexity explosion► ... but most clients are private Also in 1988: Crack Cocaine invented @ngalbreath
  15. 15. And then the 1990s ► TCP/IP ► Cheap CPUs ► Web Browsers ► Attaching databases to public networksThis is why most of usare here today. @ngalbreath
  16. 16. 2000+ Web Scale► Discovery that data problems are a lot more painful than CPU problems.► Turns out disk drives are mechanical► If your database maxes out, you have big problems... so move everything out of the database.► Complete reversal in strategy @ngalbreath
  17. 17. SQL isnt going anywhere► For front-ends, general trend is federating data across cheap machines, using stripped down SQL► SQL-like languages used by Amazon, Google and others.► Still great for analytics and reporting on the back end, and generic data storage.► But we stuck with legacy of the past. @ngalbreath
  18. 18. SQLS DARK CORNERS► bit.ly/UkQd7Z
  19. 19. SQL is Huge► 40+ years of built up crud► 1992 spec is 625 pages of plain text► 2003 spec is 128 pages of BNF► No one is completely compliant► Every one has special extensions SQL is more complicated than you think.... @ngalbreath
  20. 20. SQL Integer Forms• [0-9]+• 0x[0-9a-fA-F]+ 0xDEADbeef MySQL, MSSQL 0x is case sensitive• 0x MSSQL only• xDEADbeef PgSQL• b10101010 MySQL, PgSQL• 0b010101 MySQL @ngalbreath
  21. 21. SQL Floating Point Forms► digits► digits[.]► digits[.]digits► digits[eE]digits► digits[eE][+-]digits► digits[.][eE]digits► digits[.]digits[eE][+-]digits ► http://bit.ly/Qp6KTu► digits[.]digits[eE]digits► [.]digits► [.]digits[eE]digits► [.]digits[eE][+-]digits Optional starts with [+-]► "binary_float_infinity" (O) Optional ending with [dDfF] (Oracle) @ngalbreath
  22. 22. SQL Money Literals► MSSQL has a money type.► -$45.12► $123.0► +$1,000,000.00 Commas ignored► Many symbols are accepted for currency type @ngalbreath
  23. 23. SQL Ridiculous Operators▶ != not equals, standard▶ <=> mysql▶ <> mssql▶ ^= oracle▶ !>, !< not less than mssql▶ / oracle▶ !! factorial (pgsql)▶ |/ square root (pgsql)▶ ||/ cube root (pgsql)▶ ** exponential (oracle) @ngalbreath
  24. 24. SQL Strings, Charset & Comments Such a tangled mess, I defer to my DEFCON 20 talk: http:// client9.com/ 20120727/ @ngalbreath
  25. 25. SQLi Detection
  26. 26. Keyword Detection s/UNION.ALL/i► The dumbest possible regexp.► Ive used this regexp as a goof for a while, but oddly works well in detecting SQLi scans. dow► Almost zero false positives ore sha f @ngalbreath
  27. 27. By Using Regular ExpressionsTrying to catch more SQLi attacks leads to the question ofis user input SQLi or not? Using regular expressions youend up with something like this: (?:)s*whens*d+s*then)|(?:"s*(?:#|--|{))|(?:/*!s?d+)|(?:ch(?:a)?rs*(s*d)|(?:(?:(n?and|x?or|not)s+||||&&)s*w+ ()(?:[s()]cases*()|(?:)s*likes*()|(?:havings*[^s]+s*[^ws])|(?:ifs?([dw]s*[=<>~])(?:"s*ors*"?d)|(?:x(?:23| 27|3d))|(?:^.?"$)|(?:(?:^["]*(?:[d"]+|[^"]+"))+s*(?:n?and|x?or|not||||&&)s*[w"[+&!@(),.-])|(?:[^ws]w+s*[|-]s*"s* w)|(?:@w+s+(and|or)s*["d]+)|(?:@[w-]+s(and|or)s*[^ws])|(?:[^ws:]s*dW+[^ws]s*".)|(?:Winformation_schema| table_nameW)(?:"s**.+(?:or|id)W*"d)|(?:^")|(?:^[ws"-]+(?<=ands)(?<=ors)(?<=xors)(?<=nands)(?<=nots)(?<=||)(?<=& &)w+()|(?:"[sd]*[^ws]+W*dW*.*["d])|(?:"s*[^ws?]+s*[^ws]+s*")|(?:"s*[^ws]+s*[Wd].*(?:#|--))|(?:".**s* d)|(?:"s*ors[^d]+[w-]+.*d)|(?:[()*<>%+-][w-]+[^ws]+"[^,])(?:d"s+"s+d)|(?:^admins*"|(/*)+"+s?(?:--|#|/*|{)?)| (?:"s*or[ws-]+s*[+<>=(),-]s*[d"])|(?:"s*[^ws]?=s*")|(?:"W*[+=]+W*")|(?:"s*[!=|][ds!=+-]+.*["(].*$)|(?:"s*[!=|][d s!=]+.*d+$)|(?:"s*likeW+[w"(])|(?:siss*0W)|(?:wheres[sw.,-]+s=)|(?:"[<>~]+")(?:unions*(?:all|distinct|[(!@]*)? s*[([]*s*select)|(?:w+s+likes+")|(?:likes*"%)|(?:"s*likeW*["d])|(?:"s*(?:n?and|x?or|not ||||&&)s+[sw]+=s*w+ s*having)|(?:"s**s*w+W+")|(?:"s*[^?ws=.,;)(]+s*[(@"]*s*w+W+w)|(?:selects*[[]()sw.,"-]+from)|(?:find_in_sets* ()(?:ins*(+s*select)|(?:(?:n?and|x?or|not ||||&&)s+[sw+]+(?:regexps*(|soundss+likes*"|[=d]+x))|("s*ds*(?:--| #))|(?:"[%&<>^=]+ds*(=|or))|(?:"W+[w+-]+s*=s*dW+")|(?:"s*iss*d.+"?w)|(?:"|?[w-]{3,}[^ws.,]+")|(?:"s*iss*[d.]+ s*W.*")(?:[dW]s+ass*["w]+s*from)|(?:^[Wd]+s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert| desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)s+(?:(?:group_)concat|char|load_file)s?(?)| (?:ends*);)|("s+regexpW)|(?:[s(]load_files*()(?:@.+=s*(s*select)|(?:d+s*ors*d+s*[-+])|(?:/w+;?s+(?:having|and| or|select)W)|(?:ds+groups+by.+()|(?:(?:;|#|--)s*(?:drop|alter))|(?:(?:;|#|--)s*(?:update|insert)s*w{2,})|(?:[^w]SETs*@ w+)|(?:(?:n?and|x?or|not ||||&&)[s(]+w+[s)]*[!=+]+[sd]*["=()])(?:"s+ands*=W)|(?:(s*selects*w+s*()|(?:*/ from)|(?:+s*d+s*+s*@)|(?:w"s*(?:[-+=|@]+s*)+[d(])|(?:coalesces*(|@@w+s*[^ws])|(?:W!+"w)|(?:";s*(?:if|while| begin))|(?:"[sd]+=s*d)|(?:orders+bys+ifw*s*()|(?:[s(]+cased*W.+[tw]hen[s(])(?:(select|;)s+(?:benchmark|if|sleep) s*?(s*(?s*w+)(?:creates+functions+w+s+returns)|(?:;s*(?:select|create|rename|truncate|load|alter|delete|update|insert| desc)s*[[(]?w{2,})(?:alters*w+.*characters+sets+w+)|(";s*waitfors+times+")|(?:";.*:s*goto)(?:procedures+analyses* ()|(?:;s*(declare|open)s+[w-]+)|(?:creates+(procedure|function)s*w+s*(s*)s*-)|(?:declare[^w]+[@#]s*w+)|(execs* (s*@)(?:selects*pg_sleep)|(?:waitfors*delays?"+s?d)|(?:;s*shutdowns*(?:;|--|#|/*|{))(?:sexecs+xp_cmdshell)|(?:"s*! s*["w])|(?:fromW+information_schemaW)|(?:(?:(?:current_)?user|database|schema|connection_id)s*([^)]*)|(?:";?s*(?:select| union|having)s*[^s])|(?:wiifs*()|(?:execs+master.)|(?:union select @)|(?:union[w(s]*select)|(?:select.*w?user()| (?:into[s+]+(?:dump|out)files*")(?:merge.*usings*()|(executes*immediates*")|(?:W+d*s*havings*[^s-])|(?:matchs*[w(), +-]+s*againsts*()(?:,.*[)da-f"]"(?:".*"|Z|[^"]+))|(?:Wselect.+W*from)|((?:select|create|rename|truncate|load|alter|delete| update|insert|desc)s*(s*spaces*()(?:[$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)])(?:(sleep((s*)(d*) (s*))|benchmark((.*),(.*))))(?:(union(.*)select(.*)from))(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647| 0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|1e309)$) @ngalbreath
  28. 28. libinjectionFirst presented atBlack Hat USA 2012http://client9.com/20120725 iSEC Partners party at Bellagio
  29. 29. libinjection▶ Takes input and create tokens as if it SQL▶ Compares first 5 tokens to "things that match SQLi"▶ 50k+ SQLi samples, some from wild, some hand made, some from scans▶ C, 100k checks per second▶ Open Source, BSD License▶ http://client9.com/libinjection @ngalbreath
  30. 30. Why do we have UNION at all? ▶ http://www.deepthoughtsbyjackhandey.comand what else do I, the developer, never use, but is commonly used by SQLi attackers? @ngalbreath
  31. 31. Lets use libinjection to find features of SQL used in SQLi!► Thats what I wrote in the abstract.► Turns out to be not necessary► Used the 50,000+ SQLi samples library from libinjection and ...► ... the Awesome Power of Grep (well ... python regexp actually) @ngalbreath
  32. 32. A Highly Unscientific collection of 50,000+ SQLi attacks collected from actual attacks, scanners, how to guides, etc. But doesnt take into account:► Frequency► Severity► Uniqueness hat! So  W► Actual successful attacks versus probes► Doesnt look at exfiltration techniques @ngalbreath
  33. 33. SQL used in SQLi union 75% comments (any type) 70% concat, etc 23% hex number literals 22% subselects 22% chr(),char() 6%aes, hex, compress 4% SQL variables 2% @ngalbreath
  34. 34. 95% reduction in SQLiBy eliminating the following in SQL: ➡unions ➡comments ➡subselectsMore than 95% of all SQLi samples wereprevented. @ngalbreath
  35. 35. 98+% reduction in SQLi► By eliminating the remaining unusual SQL, more than 98% of SQLi samples were prevented or rejected.► Remaining 2% of SQLi attacks are all equivalent of 1 OR 1=1► Those remaining SQLi probes are mostly annoying, and mostly harmless. @ngalbreath
  36. 36. And of the course the obviousNot represented by frequency, but all database extensionsthat allow shell commands, networking calls, etc. •Oracle: dbms_pipe functions (networking, shell) •Oracle: ctxsys functions (admin info) •MSSQL: xp_cmdshell (shell access) •MSSQL: opendatasource (networking) •Oracle: utl_smtp (sending email) •You probably know of others.Most vendors provide ways to disable these commands, oroff by default. Will focus on pure SQL. @ngalbreath
  37. 37. Introducing SQL-RISC I call this simplified SQL – SQL that limits SQLi damage -- SQL-RISC in honor of RISC computing.http://en.wikipedia.org/wiki/Reduced_instruction_set_computing @ngalbreath
  38. 38. Feasibility:Can public applicationsrun using SQL-RISC?
  39. 39. Can we replace unions?► Strongly suspect most? many? websites do not use unions.► All unions can be rewritten into two queries. Minor overhead cost.► Applications can create views if absolutely required. @ngalbreath
  40. 40. Can we remove SQLcomments?► Uhh, I have a hard time getting developers to write any comments, let alone comments in SQL.► Or just allow /* */ only at start of query (some ORMs generate a comment on where the query is coming from) @ngalbreath
  41. 41. Can we replace SQL subselects?► All subselects can be re-written as joins , with almost no application level code changes needed.► SQLi that uses subselects can not be rewritten as joins (except in rare cases) @ngalbreath
  42. 42. Can we replace SQL string functions?► Including: substring, concatenation, encoding, encrypting, char functions, replacements► Easy to move into application logic► Suspect many web apps dont use these. @ngalbreath
  43. 43. Other SQL Functionssleep/waitfor/shutdown 3.2% Having a hard time seeing anyin boolean mode 1.7% need for them in publicdrop|create|replace 1.6%rand|random applications. 1.4%dbms_ 1.0%convert 0.9% Again, I was going to analyzeupdatexml|xmltype 0.9%generate_series 0.9% "real world" benign SQL, butrandomblob 0.8% Ive never used any of thesewaitfor 0.5% functions, ever, in any webextractvalue 0.5% application.begin 0.5%load_file 0.3%ascii 0.2%nvarchar 0.1%as binary 0.1%into outfile 0.01% @ngalbreath
  44. 44. Enterprise Apps► If SQL-RISC were implemented as a separate client, then ► public apps could use SQL-RISC ► internal apps could use regular SQL, and use all functions if required.► This would make adoption much easier. @ngalbreath
  45. 45. SQL-RISCBenefits
  46. 46. Fixing SQLi the Old Way► Ensuring that every user input is properly validated is intractable (true, some frameworks help, but .... only if you are using them)► Parameterized queries helps but some common SQL expressions cannot be expressed with parameterization (e.g. IN lists)► Auditing is very slow► Every code change may introduce new problem. @ngalbreath
  47. 47. Fixing SQLi using SQL-RISC► Using SQL-RISC may some require some application changes, however, this is a greppable finite problem. find . -name *.php | xargs grep -i union► Feasibility, conversion & testing can be done before deployment of SQL-RISC.► Once complete, the entire application, current and future is protected. @ngalbreath
  48. 48. Auto-Detecting AttacksBy using SQL-RISC, critical SQLi features are de-activated. SQLi Attacks turn into SQL Syntax Errors @ngalbreath
  49. 49. SQL Syntax Errors are Easy to Monitor ► SQL Syntax errors are annoying but harmless, and are put into logs (database and/or application) ► Trivial to monitor using existing tools (e.g. grep -i syntax error *.log ) ► Now you know where input validation isnt being done▶ You should be monitoring SQL syntax errors anyways! Major alert if you are being scanner! @ngalbreath
  50. 50. But wont attackers just use another part of SQL?Of course they will!This is not a 100% solution but provides a good start onsecurity by default.Possible pathways is not unlimited. Maybe I missedsomething, but then its likely to be some exotic part ofSQLThe more exotic the SQL, the easier it is to detect. @ngalbreath
  51. 51. Next Steps 食品サンプル
  52. 52. Proof of Concept Patch► Making a source code patch to deactivating functions and features should be a relatively simple task.► May be possible to produce a binary patch: perl -p -i -e mysqld s/UNION/blah/g @ngalbreath
  53. 53. Access Control► However, best done via access control.► Different clients could enable or disable SQL functions and features depending on need.► This is a more complicated patch! @ngalbreath
  54. 54. Closed-Source► I challenge you!► Provide controls for advanced SQL features or provide a simplified parser option. @ngalbreath
  55. 55. Lets Eat! ► Help wanted! ► contact me nickg@client9.com ► libinjection home page: http://client9.com/libinjection http:// client9.com /20130227/ @ngalbreath

×