Como Se Proteger Contra SQL Injection utilizando o Apache
Saiba como se proteger sistemas antigos contra ataques de SQL Injection utilizando apenas o servidor web Apache
Lógica
SQL Injection é uma tentativa de comprometer um sistema injetando códigos SQL de forma aleatória e não autorizada em um servidor. SQL significa Structured Query Language, uma linguagem projetada para gerenciar dados em um banco de dados. Um SQL Injection é uma tentativa de comprometer um sistema, injetando códigos maliciosos em elementos SQL existentes para enganar ou comprometer sistemas. Os invasores implantam essa técnica para interceptar dados ou localizar credenciais de administrador, o que os ajuda a obter controle total sobre um sistema ou rede. Na maioria das vezes boas práticas de programação são suficientes para proteger o seu sistema contra um ataque de SQL Injection, porém em alguns casos em sistemas antigos e usando programação procedural, o problema pode ser agravado. Em alguns casos onde não é possível atualizar o código é necessário utilizar formas alternativas de garantir a segurança do sistema. E uma ótima opção é criar regras no servidor web com objetivo de identificar tentativas de ataque e redirecionar o invasor para um determinado servidor que você possa logar a tentativa de ataque e alertar a sua equipe de segurança da tentativa em andamento. O exemplo abaixo é de um servidor APACHE, onde criamos no ,htaccess regras para identificar tentativas de injetar código SQL no sistema. No caso abaixo detectamos alguns comandos SQL e quando eles forem utilizados na querystring iremos redirecionar para um script PHP que vamos chamar de honeypot.php e nele ficam as informações para tratar a tentativa de ataque e alertar a equipe de segurança.
Código Expresso
# PROTEJE CONTRA SQL INJECTION E REDIRECIONA PARA O HONEYPOT
RewriteCond %{QUERY_STRING} drop [NC,OR]
RewriteCond %{QUERY_STRING} delete [NC,OR]
RewriteCond %{QUERY_STRING} truncate [NC,OR]
RewriteCond %{QUERY_STRING} union [NC,OR]
RewriteCond %{QUERY_STRING} select [NC,OR]
RewriteCond %{QUERY_STRING} cast [NC,OR]
RewriteCond %{QUERY_STRING} declare [NC,OR]
RewriteCond %{QUERY_STRING} md5 [NC,OR]
RewriteCond %{QUERY_STRING} benchmark [NC,OR]
RewriteCond %{QUERY_STRING} column [NC,OR]
RewriteCond %{QUERY_STRING} substr [NC,OR]
RewriteCond %{QUERY_STRING} concat [NC,OR]
RewriteCond %{QUERY_STRING} convert [NC,OR]
RewriteCond %{QUERY_STRING} exec [NC,OR]
RewriteCond %{QUERY_STRING} passthru [NC,OR]
RewriteCond %{QUERY_STRING} proc [NC,OR]
RewriteCond %{QUERY_STRING} system [NC,OR]
# %0b : ;
RewriteCond %{QUERY_STRING} %0b [NC,OR]
# %0d : =
RewriteCond %{QUERY_STRING} %0d [NC,OR]
# %2A : *
RewriteCond %{QUERY_STRING} %2A [NC,OR]
RewriteCond %{QUERY_STRING} unhex [NC]
RewriteRule ^/?(.*) /honeypot.php [R=301,L]
1
Apache 2 Pocket Reference: For Apache Programmers & Administrators
Even if you know the Apache web server inside and out, you still need an occasional on-the-job reminder -- especially if you're moving to the newer Apache 2.x. Apache 2 Pocket Reference gives you exactly what you need to get the job done without forcing you to plow through a cumbersome, doorstop-sized reference. This Book provides essential information to help you configure and maintain the server quickly, with brief explanations that get directly to the point. It covers Apache 2.x, giving web masters, web administrators, and programmers a quick and easy reference solution. This pocket reference includes: Summaries of command-line options, configuration directives, and modules Key information about Apache support utilities What you need to know about URL rewriting, filters, caching, proxying and security Whether you manage huge e-commerce operations, corporate intranets, or small personal websites, Apache 2 Pocket Reference is ideal for savvy administrators who no longer need detailed tutorials and just want a convenient, on-the-job reference.
2
Apache Cookbook: Solutions and Examples for Apache Administration
Theres plenty of documentation on installing and configuring the Apache web server, but where do you find help for the day-to-day stuff, like adding common modules or fine-tuning your activity logging? Thats easy. The new edition of the Apache Cookbook offers you updated solutions to the problems you're likely to encounter with the new versions of Apache. Written by members of the Apache Software Foundation, and thoroughly revised for Apache versions 2.0 and 2.2, recipes in this book range from simple tasks, such installing the server on Red Hat Linux or Windows, to more complex tasks, such as setting up name-based virtual hosts or securing and managing your proxy server. Altogether, you get more than 200 timesaving recipes for solving a crisis or other deadline conundrums, with topics including: Security Aliases, Redirecting, and Rewriting CGI Scripts, the suexec Wrapper, and other dynamic content techniques Error Handling SSL Performance This book tackles everything from beginner problems to those faced by experienced users. For every problem addressed in the book, you will find a worked-out solution that includes short, focused pieces of code you can use immediately. You also get explanations of how and why the code works, so you can adapt the problem-solving techniques to similar situations. Instead of poking around mailing lists, online documentation, and other sources, rely on the Apache Cookbook for quick solutions when you need them. Then you can spend your time and energy where it matters most.
3
SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks
SQL injection (SQLi) is probably the most infamous attack that can be unleashed against applications on the internet. SQL Injection Strategies is an end-to-end guide for beginners looking to learn how to perform SQL injection and test the security of web applications, websites, or databases, using both manual and automated techniques. The book serves as both a theoretical and practical guide to take you through the important aspects of SQL injection, both from an attack and a defense perspective. You'll start with a thorough introduction to SQL injection and its impact on websites and systems. Later, the book features steps to configure a virtual environment, so you can try SQL injection techniques safely on your own computer. These tests can be performed not only on web applications but also on web services and mobile applications that can be used for managing IoT environments. Tools such as sqlmap and others are then covered, helping you understand how to use them effectively to perform SQL injection attacks. By the end of this book, you will be well-versed with SQL injection, from both the attack and defense perspective. What you will learn Focus on how to defend against SQL injection attacks Understand web application security Get up and running with a variety of SQL injection concepts Become well-versed with different SQL injection scenarios Discover SQL injection manual attack techniques Delve into SQL injection automated techniques Who this book is for This book is ideal for penetration testers, ethical hackers, or anyone who wants to learn about SQL injection and the various attack and defense strategies against this web security vulnerability. No prior knowledge of SQL injection is needed to get started with this book.
Posts relacionados
Posts mais recentes
Mais Pesquisadas
Mais lidas
REVIEWS