Database Query String Analysis
Definition
Analyzing database queries to detect SQL Injection.
How it works
Some implementations use software hooks to intercept function calls related to database query operations. Other implementations might intercept or collect network traffic. The database query string is then extracted and analyzed with various methods, for example:
- Detecting specific administrative SQL commands
- Anomalous sequences of commands when compared to a statistical baseline.
- Anomalous commands for a given user role.
Considerations
Some capabilities sanitize queries before permitting them to be transmitted to the database. This incurs risks such altering data in an undesired way or breaking application functionality.
References
The following references were used to develop the Database Query String Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
System and method for internet security
MITRE Comments
This patent describes a technique for detecting SQL injection attacks. Software hooks are installed in a web service or application to intercept function calls, events, or messages that are passed between software components. Intercepted database queries associated with a web request are analyzed character by character and if it contains a character that would modify the syntax the query is rejected or sanitized. Security rules and policies may also determine rejection. For example, an administrator or developer may implement a rule that rejects any database query that is excessively long or that contains a particular string, such as "Xp cmdshell".