How to detect SQL Injection sitting at a reverse proxy?

I am writing a simple reverse proxy in java. So, I have access to all Http requests and responses exchanged between client and server. Sitting at the proxy I am trying to detect SQL Injection Attack.

I got few links - (like for example)

http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks

where some regex are mentioned, but I suppose it's not that simple. It is impossible to write regex for all possible/valid SQL statements. Because so many databases are there in the market and SQL statements must follow some grammer rules.

Let me break down the problem to a simple question -

Given a string, can it be checked that whether it contains a valid SQL statement?

Can anyone tell me the best way to do it? Or, any library which does that for me?

---

Let me first take my hat off to @neil-mcguigan who came up with the best comment of the year: "A sql injection attack is valid sql. That's why it works"

While keeping that axiom in mind, I think it's possible to rely on some heuristics to identify and block malicious behavior in general. For example, you will often see multiple unsuccessful attempts during an attack. The attacker's behavior and various attributes (such as source geo-IP, access time, user-agent or browser thumbprint, etc.) will likely be different from the average regular user. Many network security appliances in the market actually use these and combine them with other threat feeds for detection.

However, as soon as you grow to more than a single server to protect, it becomes extremely hard to persist and leverage this information. In a web farm, with load balancers and multiple reverse proxies, getting access to logs from every device, in real-time, and running heuristics against every unknown call is a bigger challenge than coming up with the heuristics themselves.

链接地址: http://www.djcxy.com/p/93464.html

上一篇: 服务器中的SQL注入

下一篇: 如何检测坐在反向代理的SQL注入？