万豪 数据泄露 sql注入

by Cossack Labs Dev Stories

哥萨克实验室开发故事

如何防止数据库泄漏和注入 (How to prevent database leaks and injections)

Most web and mobile apps have a backend that includes a database of some kind. Your front end consumes data from your back end, and also gathers new data to feed back into your database.

大多数Web和移动应用程序的后端都包含某种数据库。 前端从后端消费数据，还收集新数据以反馈到数据库中。

Often hackers will target your database for malicious attacks, trying to steal or modify sensitive pieces of information. But most back ends are pretty well protected, and the only attack vector available for malicious actions is through your front end itself.

黑客通常会将您的数据库作为恶意攻击的目标，试图窃取或修改敏感信息。 但是大多数后端都受到了很好的保护，可用于恶意操作的唯一攻击媒介是通过前端本身。

There are many traditional techniques for protecting your data. Most of them will hurt your performance and also limit the scope of protection of your data at the same time.

有许多传统技术可以保护您的数据。 它们中的大多数会损害您的性能，并且同时会限制数据的保护范围。

This post is about something else — several interesting techniques we’re using for detecting intruders in Acra, our open-source database protection suite.

这篇文章还涉及其他内容-我们正在使用几种有趣的技术来检测开源数据库保护套件Acra中的入侵者。

前端受到攻击！ (Front end under attack!)

No matter what kinds of authentication and encryption stand between your front end and the remaining parts of your system, you have to trust your front end to let it pass data on in. Any request your front end sends with the correct authentication parameters, your database has to serve.

不管前端与系统其余部分之间进行何种身份验证和加密，都必须信任前端以使其传递数据。前端发送的任何请求均带有正确的身份验证参数，即数据库必须服务。

But what if your front-end application gets exposed in a way that an attacker is able to alter execution or data request flow?

但是，如果您的前端应用程序以攻击者能够更改执行或数据请求流的方式公开，该怎么办？

If you trust your application and its credentials, you will serve all of its requests, no matter how malicious they are.

如果您信任您的应用程序及其凭据，则无论它们的恶意程度如何，都将满足其所有请求。

让我们介绍一个看门狗 (Let’s introduce a Watchdog)

Watchdog is a network proxy server that sits between your app and your database, and controls your data stream. If the infrastructure behind the app was not compromised and only front-end is under attack, the only way for attackers to get the data they’re after is sending malformed requests through this Watchdog.

看门狗是位于您的应用程序和数据库之间的网络代理服务器，并控制您的数据流。 如果应用程序背后的基础架构没有受到威胁，只有前端受到攻击，则攻击者获取其所要数据的唯一方法是通过此Watchdog发送格式错误的请求。

But apart from just enforcing access policy, it can filter correct requests and deny access for the obviously malicious ones.

但是，除了仅强制执行访问策略外，它还可以过滤正确的请求并拒绝针对明显恶意请求的访问。

So, what does such a Watchdog proxy do? It tries to detect anomalies and all large-scale selects that aren’t typical for an application flow. Then based on threat level, it either shuts down database access or generates notification events for monitoring.

那么，这种看门狗代理有什么作用？ 它尝试检测异常和所有非应用程序流所典型的大规模选择。 然后根据威胁级别，它要么关闭数据库访问，要么生成通知事件以进行监视。

Like the idea? Acra is such a watchdog, additionally providing cryptographic services, focused on selectively and flexibly protecting only sensitive parts of the data you store.

喜欢这个主意吗？ Acra就是这样的看门狗， 它还提供加密服务，专注于有选择地且灵活地仅保护您存储的数据的敏感部分。

我们应该检测什么样的不良要求？ (What kind of bad requests should we detect?)

Typical payloads for SQL Injections:

SQL注入的典型负载：

• Inserts, targeting authentication data插入，定位身份验证数据
• SELECT *选择 *
• Command execution命令执行
• Grant rights授予权
• Denial of service attacks拒绝服务攻击
• Typical signatures of escaping payloads to execution on database side转义有效负载以在数据库侧执行的典型签名

检测方法 (Detection methods)

Detection sounds simple — we should just look at the traffic that passes through Watchdog and match it against some rule. But SQL injections aren’t always simple binary arrays of bytes with pre-determined signatures, which are easy to spot. There are different methods you can use to efficiently scan the database request traffic:

检测听起来很简单-我们应该只查看通过看门狗的流量，并根据某些规则进行匹配。 但是SQL注入并不总是简单的带有预定签名的字节二进制数组，这些签名很容易发现。 您可以使用多种方法来有效地扫描数据库请求流量：

查询模板 (Query templates)

A simple, flexible method of detecting suspicious behavior is matching SQL requests against some list of patterns. It takes some effort to create such a list covering most of the typical attack vectors for your particular data flow. Then you have to match queries against this list. But this is an efficient way to spot most unsophisticated attempts at scale, and early on.

一种简单，灵活的检测可疑行为的方法是将SQL请求与某些模式列表进行匹配。 创建包含所有特定数据流的大多数典型攻击向量的列表需要花费一些精力。 然后，您必须将查询与此列表进行匹配。 但这是一种有效的方法，可以在早期发现大规模的复杂尝试。

毒药记录 (Poison records)

A classic design used to prevent SELECT *-type injections, poison record is a way to detect massive requests to the database. Designing your database requests yourself — or at least enumerating the ones your ORM generates — allows you to understand which tables with sensitive data are never accessed via requests with full scan requests. You can store a special record, a tag, in this table, which, when passing the Watchdog, triggers the alarm.

一种用于防止SELECT *类型注入的经典设计，中毒记录是一种检测对数据库的大量请求的方法。 设计自己的数据库请求-或至少枚举ORM生成的数据库-可以使您了解从未通过具有完整扫描请求的请求访问包含敏感数据的表。 您可以在此表中存储一个特殊记录，即一个标签，当通过看门狗时，会触发警报。

查询枚举 (Query enumeration)

— Let’s try injecting this way…

—让我们尝试以这种方式注入…

— Hmm, nah, doesn’t work

-嗯，不行

Most processes for finding and exploiting bugs rely on the try-fail-try-again cycle, in which attacker generates a lot of broken queries. Some of them will contain typical signatures, but overall they will increase the number of bad queries to your database.

查找和利用错误的大多数过程都依赖于try-fail-try-again循环，在该循环中，攻击者会生成很多损坏的查询。 其中一些将包含典型的签名，但总体而言，它们将增加对数据库的错误查询的数量。

While detecting these signatures is hard, detecting a sudden increase in empty/syntax error responses from the database is fairly easy.

虽然很难检测到这些签名，但是从数据库中检测空/语法错误响应的突然增加是很容易的。

One of the interesting challenges we’re pursuing right now is being able to detect abnormal (compared to regular request flow) behavior via a machine learning-trained classifier.

我们目前追求的有趣挑战之一是能够通过机器学习训练的分类器来检测异常(与常规请求流相比)行为。

如果攻击者发起了与正常应用程序行为无异的攻击，该怎么办？ (What if an attacker mounts an attack that’s indistinguishable from normal application behavior?)

If the attacker is able to reverse engineer the regular data flow and emulate it in a way that you can’t distinguish from the normal app behavior, they will be able to get past your watchdog.

如果攻击者能够对常规数据流进行反向工程并以您无法区别于正常应用行为的方式对其进行仿真，则他们将能够越过您的监视程序。

进一步阅读 (Further reading)

I recommend reading these three articles on classic and modern patterns in database defenses:

我建议阅读以下有关数据库防御的经典和现代模式的三篇文章：

Cossack Labs / Classic backend security design patternsIn modern client-server applications, most of the sensitive data is stored and (consequentially) leaked lives on the…www.cossacklabs.comCossack Labs / Key management for modern application security 101Frequently overlooked, much less hyped than quantum computers breaking trapdoor functions, managing keys is actually…www.cossacklabs.comCossack Labs / 12 and 1 ideas how to enhance backend data securityPreviously, we’ve talked about classic design patterns in backend data security, then about key management goals and…www.cossacklabs.com

哥萨克实验室/经典后端安全设计模式 在现代客户端-服务器应用程序中，大多数敏感数据都已存储，并且(因此)泄漏了生活在… www.cossacklabs.com 哥萨克实验室/现代应用程序安全性的密钥管理101 经常被忽略，很多量子计算机没有打破活板门功能的炒作，实际上是管理密钥…… www.cossacklabs.com 哥萨克实验室/ 12和1个想法如何增强后端数据安全性 以前，我们已经讨论了后端数据安全性中的经典设计模式，然后讨论了密钥管理目标和… www.cossacklabs.com

Thanks for reading.

谢谢阅读。

翻译自: https://www.freecodecamp.org/news/preventing-leaks-and-injections-in-your-database-be3743af7614/

万豪 数据泄露 sql注入