Mark,
The comment block obfuscation technique has been posted on blog articles
that I have read through the years, however
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ seems to be the
only one that I can pull up after a 30 second search. Needless to say I am
almost certain that I have seen working examples in the past, which has led
me to attempt to scan for them.
// Seperator chars
CS = '.|[^[:alnum:]]';
// Short list of db objects to protect
DBObj.short = 'database|function|procedure|role|table|trigger|user|view';
// Build the regex
blackList = '@@|' &
'alter(#CS#)*?(#DBObj.short#)|' &
'cast(#CS#)*?\(|' &
'char(#CS#)*?\([[:alnum:]]{2}\)|' &
'create(#CS#)*?(#DBObj.short#)|' &
'declare(#CS#)*?(@|cursor)|' &
'delete(#CS#)*?from(#CS#)*?_|' &
'drop(#CS#)*?(#DBObj.short#)|' &
'exec(#CS#)*?\(|' &
'insert(#CS#)*?values(#CS#)*?\(+?|' &
'sysObjects|' &
'truncate(#CS#)*?table|' &
'update(#CS#)*?set(#CS#)+?|' &
'(s|x)p_[[:alnum:]_]+?|' &
'(\''(#CS#)*?(--)+?)|' &
'((--)+?(#CS#)*?\'')|' &
'/\*(#CS#)*?\*/';
An incomplete, but reasonable regex that allows individual keywords to pass
assuming that there are no other characters|keywords which would indicate a
possible threat in the parsed string, also includes a scan for block quotes
(even if only for my own piece of mind - white space obfuscation and word
split). I would do better, however I am not generally granted free licence
to spend time posting to discussion lists while I am supposed to be working
- else I would have written/posted actual code earlier.
What was the point of my original post then?
To illustrate that the list/array check is not a good enough solution, even
as a stop gap and to get people to perhaps look at doing a little more
research on their 'patch' before they go away and dedicate the requisite
hours to find and repair all missing queryparams etc, leaving their sites
still vulnerable. Sites are still being hit - is it better to wait 12 hours+
to make the point, or get the idea into someone's head now?
Just a note: I don't think a single post qualifies as 'peppering', nor do I
believe that pointing out legitimate flaws qualifies as pedantic.
G
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309564
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
