Security Research
Showing results for 
Search instead for 
Do you mean 

RSA Conference 2013: News on SQL Injection Detection and Prevention

yoneil on ‎03-07-2013 04:21 PM

Last week San Francisco welcomed the annual RSA Conference 2013. I was lucky to attend the conference for a day, and even though this presentation was dedicated to the topic of good old SQL injection, it got my attention.


The author and presenter Nick Galbreath promises a 98% reduction in SQL injection attacks for regular web applications. This promise is based on a simple observation made after analyzing piles of SQL code: SQL used in web applications – referred to as “everyday SQL” – and SQL used by attackers to mount SQL injection attacks – “SQLi SQL” – basically do not overlap. Meaning, attackers use SQL constructs that are rarely used by developers. For example, unions are used by attackers all over the place, but are rarely used otherwise. Same goes for comments, subselects, various built-in SQL functions whose effect can be achieved by similar logic applied much more easily at the application layer, SQL variables and a few more. It turns out that if applications are forced to respond to a subset of SQL that does not allow unions, comments, and subselects, they can achieve 95% reduction in SQL injection attacks. By eliminating the rest of the questionable constructs often used by attackers, applications can reduce SQL injection attacks by 98%.


The interesting thing about this approach is that it’s not tied to a particular detection technique. Any runtime monitoring or defense infrastructure capable of inspecting the queries executed by an application could apply it. Whether you are a developer still struggling with getting rid of SQL injection vulnerabilities in your code or a security practitioner figuring out new vulnerability and attack detection techniques, I encourage you to check out Nick Galbreath’s work. Full version of his RSA slides is available here.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all