Security Research
Showing results for 
Search instead for 
Do you mean 

RSA Conference 2013: News on SQL Injection Detection and Prevention

yoneil on ‎03-07-2013 04:21 PM

Last week San Francisco welcomed the annual RSA Conference 2013. I was lucky to attend the conference for a day, and even though this presentation was dedicated to the topic of good old SQL injection, it got my attention.


The author and presenter Nick Galbreath promises a 98% reduction in SQL injection attacks for regular web applications. This promise is based on a simple observation made after analyzing piles of SQL code: SQL used in web applications – referred to as “everyday SQL” – and SQL used by attackers to mount SQL injection attacks – “SQLi SQL” – basically do not overlap. Meaning, attackers use SQL constructs that are rarely used by developers. For example, unions are used by attackers all over the place, but are rarely used otherwise. Same goes for comments, subselects, various built-in SQL functions whose effect can be achieved by similar logic applied much more easily at the application layer, SQL variables and a few more. It turns out that if applications are forced to respond to a subset of SQL that does not allow unions, comments, and subselects, they can achieve 95% reduction in SQL injection attacks. By eliminating the rest of the questionable constructs often used by attackers, applications can reduce SQL injection attacks by 98%.


The interesting thing about this approach is that it’s not tied to a particular detection technique. Any runtime monitoring or defense infrastructure capable of inspecting the queries executed by an application could apply it. Whether you are a developer still struggling with getting rid of SQL injection vulnerabilities in your code or a security practitioner figuring out new vulnerability and attack detection techniques, I encourage you to check out Nick Galbreath’s work. Full version of his RSA slides is available here.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all