Hi Gregory,
As it is said, there is no single way to skin the cat :). Your approach
is a valid one, by using the escaping transformation. Maybe you should
check the s.escape.user [1].
Such checks make sense when using avp_db_query(), so raw queries. The
internal queries (like auth, etc) are done via prepared statements, so
safe to injections.
[1] https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
https://www.siphub.com
On 30.11.2023 02:34, Gregory Massel via Users wrote:
Hi all
I'm wondering what the best practice is in terms of detection and
dropping attempted SQL injection attacks?
Is something like the following adequate or can this be enhanced:
if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
drop();
}
Obviously this does not remove the need to escape anything passed to
avp_db_query(), however, what I want to do is identify these sorts of
attacks at the top of the script and avoid processing.
To date all the attacks I've seen focus on the contact and from user,
e.g.:
INVITEsip:00111390237920793@x.x.x.x:5060;transport=UDP SIP/2.0
Contact:<sip:a'or'3=3--@x.x.x.x:5060;transport=UDP>
To:<sip:00111390237920793@x.x.x.x;transport=UDP>
From:<sip:a'or'3=3--@x.x.x.x;transport=UDP>;tag=v2pjtxqb
I'm not quite sure how to match the Contact user. Would the following
work?
if ( $(ct.fields(uri){uri.user}) !=
$(ct.fields(uri){uri.user}{s.escape.common}) ) {
drop();
}
--
Regards
*Gregory Massel*
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
