Skip to main content

Other ways to detect an SQL Injection attack ( Honey Data )

Fake Data (Honey Data)


By using honey data , it could help to identify attacks that are not triggered by error messages. 


Honey data is data (e.g. Passwords, Credit card numbers,…) in tables which is never used by the application (Fake Ones). If someone from anywhere is accessing this kind of data , alert will be raised.

Creation a table or tables containing unused data with juicy names (e.g. PASSWORD, CREDITCARD, SALARY).  
Such interesting data is often the target of attackers.   

During the attack, attackers are often accessing the view ALL_TAB_COLUMNS (Oracle) or INFORMATION_SCHEMA.COLUMNS (MySQL) to get the column names of interesting data.


Attackers are normally downloading the data of  interesting tables found via the column name in further attacks. 

You could monitor such an access and could react (send email, lock user, …).

Oracle can implement this monitoring via Virtual Private Database (VPD).

-- The script 

-- Create Honeytable 
create table app.userdata (username varchar2(30), password varchar2(30));
-- Fill Honey table with data 
insert into app.userdata values ('WEBUSER','WEBUSER01');
insert into app.userdata values ('WEBADM','ADMADM01');
insert into app.userdata values ('WEBREAD','READUSER01');
-- create predicate function 
create or replace function perfcheck (pv_schema in varchar2, pv_object in  varchar2)
return varchar2 as
 begin
dbms_output.put_line(‘Send email to the security team or lock the database user...');
-- return always true. Attacker will see all results 
    return '1=1';
end;
/
-- now we activate VPD for this table 
exec dbms_rls.add_policy(object_schema => ‘APP', object_name => ‘USERDATA',
policy_name => 'PERFCHECK', policy_function => 'PERFCHECK');

if Oracle solves it using VPD , 
how could it be implemented on MySQL ? A question needs to be answered.    

Labels:

Comments

  1. AnonymousOctober 13, 2014 at 3:09 AM

    It can be done using MySQL by :
    1- make a fake table like users_tb ,or permissions_tb with field (username , password , ....).
    2- when these tables are accessed , a trigger raised to put some data in another fake table (temp_tb).
    3- a small service reads from the temp_tb , if any data appears , it will alert the administrator, this means that there is an attempt to attack.

    ReplyDelete

Post a Comment

Popular posts from this blog

The Difference between DB and DB_EXTENDED

When doing Audit on any table on the the database , the default auditing is DB. SQL > show parameters audit_trail NAME                                 TYPE        VALUE ------------------------------------ ----------- ------------------------------ audit_trail                          string      DB in this case , when you do audit on some table. SQL> audit all on scott.emp by access; Audit succeeded SQL> update emp set sal=sal*0.95 where job='MANAGER'; 3 rows updated. if you want to know the statement made these changes, you will receive nothing on the sql_text field while you are selecting the audit_trial table.
Post a Comment
Read more

Web Application Security Scanner : Sandcat

Sandcat is multi-process remote web application security scanner. It maps the entire web site structure ( all links , forms , XHR requests and other entry points) and tries to find custom,unique vulnerabilities by simulating a wide range of attacks/sending thousands of requests (mostly GET and POST).  It also tests for SQL Inection, XSS, File inclusion and many other web application vulnerability classes.  Sandcat's code scanning functionality automates the process of reviewing the web application's code .  Source : CEH Lectures ...
Post a Comment
Read more