Security Research
Showing results for 
Search instead for 
Do you mean 

RSA Conference 2013: News on SQL Injection Detection and Prevention

yoneil on ‎03-07-2013 04:21 PM

Last week San Francisco welcomed the annual RSA Conference 2013. I was lucky to attend the conference for a day, and even though this presentation was dedicated to the topic of good old SQL injection, it got my attention.


The author and presenter Nick Galbreath promises a 98% reduction in SQL injection attacks for regular web applications. This promise is based on a simple observation made after analyzing piles of SQL code: SQL used in web applications – referred to as “everyday SQL” – and SQL used by attackers to mount SQL injection attacks – “SQLi SQL” – basically do not overlap. Meaning, attackers use SQL constructs that are rarely used by developers. For example, unions are used by attackers all over the place, but are rarely used otherwise. Same goes for comments, subselects, various built-in SQL functions whose effect can be achieved by similar logic applied much more easily at the application layer, SQL variables and a few more. It turns out that if applications are forced to respond to a subset of SQL that does not allow unions, comments, and subselects, they can achieve 95% reduction in SQL injection attacks. By eliminating the rest of the questionable constructs often used by attackers, applications can reduce SQL injection attacks by 98%.


The interesting thing about this approach is that it’s not tied to a particular detection technique. Any runtime monitoring or defense infrastructure capable of inspecting the queries executed by an application could apply it. Whether you are a developer still struggling with getting rid of SQL injection vulnerabilities in your code or a security practitioner figuring out new vulnerability and attack detection techniques, I encourage you to check out Nick Galbreath’s work. Full version of his RSA slides is available here.

0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all