
Preventing SQL Injections When WAF’s Not Enough - ninegunpi
https://www.cossacklabs.com/blog/sql-firewall-vs-waf-against-sqli.html
======
dullgiulio
Umh, this article is dubious.

1\. If your WAF can be fooled by adding a X-Forwarded-For header, trouble
ahead.

2\. If your security strategy is about mitigating attacks where the payload
matches some regular expressions, trouble ahead. Machine learning? Double
trouble ahead.

3\. If you don't write only completely static queries[1] to then use as
prepared statements or use a proper ORM[2] when using a SQL database, trouble
ahead.

[1]
[https://www.akadia.com/services/dyn_modify_where_clause.html](https://www.akadia.com/services/dyn_modify_where_clause.html)

[2] Like linq, jOOQ...

~~~
ninegunpi
If your security strategy relies on one or two security controls, you're
doomed most of the time.

We've added SQL filtering as a defense-in-depth measure, having a convenient
seat in the architecture, complementing every other mitigation measure proper
application developers and DBAs should be doing (and frequently get wrong).

Even ORMs get bypassed once in a while:

\-
[https://github.com/mysqljs/mysql/issues/342](https://github.com/mysqljs/mysql/issues/342)
\-
[https://github.com/sequelize/sequelize/issues/5671](https://github.com/sequelize/sequelize/issues/5671)
\- (okay, we can avoid this one by saying nothing "nothing proper exists in
NodeJS world) [https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-
all...](https://bertwagner.com/2018/03/06/2-5-ways-your-orm-will-allow-sql-
injection/)

Dumb concatenation can nullify the merit of quite advanced ORM: copybook
example of misusing Ruby's ActiveRecord (is that proper enough) got as far as
OWASP testing guide:
[https://www.owasp.org/index.php/Testing_for_ORM_Injection_(O...](https://www.owasp.org/index.php/Testing_for_ORM_Injection_\(OTG-
INPVAL-007\))

Prepared statements are cooked wrong as well, but rarely, that's why they are
viable line of defense, but not the sole one (as nothing should be):

[https://www.reddit.com/r/netsec/comments/ww9qm/sqli_bypassin...](https://www.reddit.com/r/netsec/comments/ww9qm/sqli_bypassing_prepared_statements/)
[https://stackoverflow.com/questions/134099/are-pdo-
prepared-...](https://stackoverflow.com/questions/134099/are-pdo-prepared-
statements-sufficient-to-prevent-sql-injection)

(in fact, I've seen with my eyes exactly what first comment in reddit
postmentions).

------
all_blue_chucks
WAF's are never good enough. They're a weak band-aid used by companies who
lack the expertise to find and fix security bugs in their own code.

~~~
Lt_Riza_Hawkeye
This is the correct answer. Unfortunately PCI dictates that you can use WAFs
instead of real coding standards and testing.

For anyone curious why WAFs are so useless, there is a very beginner-
accessible talk by Joe McCray here:
[https://www.youtube.com/watch?v=qBVThFwdYTc](https://www.youtube.com/watch?v=qBVThFwdYTc)

~~~
wil421
The company I work at has many PCI compliant systems. I asked a security
officer why they were still doing certain things the old way. He explained
they very well know it’s the old way but in order to be compliant they must do
it.

~~~
henvic
I'm curious by what do you mean 'old way' for the very reason exposed above.

Would you mind to give some examples?

~~~
wil421
A simple example would be changing passwords every 90 days. It’s been proven
users will choose less secure passwords.

Here is an article from the FTC and one about NIST guidelines.

[https://www.ftc.gov/news-
events/blogs/techftc/2016/03/time-r...](https://www.ftc.gov/news-
events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes)

[https://qz.com/981941/the-us-standards-office-wants-to-do-
aw...](https://qz.com/981941/the-us-standards-office-wants-to-do-away-with-
periodic-password-changes/)

------
ris
This is an advertisement.

------
moutix
That's why we now have RASP. It's better than SQL proxy and WAF, because you
have both the SQL query and the HTTP parameters and you can correlate them to
be super accurate

~~~
ninegunpi
Isn't RASP just slapping the WAF-like signature detection into your
application data streams directly? How would RASP prevent:

1\. Insiders having access to database front?

2\. Same SQL bypass techniques as employed to bypass WAFs?

3\. Mitigate developer errors in query logic which enable custom injections?

