Setting up a SQL injection honeypot - sql-injection

I just stumbled on a website vulnerable to an SQL injection attack by mistake ( Is this site vulnerable to an SQL injection attack? ).
That made me curious about what is tried and how often an attack attempt comes by on some website.
So I'm thinking it would be cool to setup a honeypot on my server to see if / how often / using what techniques 'crackers' try to get access to my SQL data.
There are some basic things I can think of to lure them, like:
/login.php / asp url
/adminlogin.php / asp url
A searchform
?id=111 url
with some fake SQL errors when trying to inject some SQL.
Anybody has some more / better suggestion / ideas / whatever to set up a honeypot for SQL injection?

See this article if you want to setup a honey pot, it's got sample data that's injectable.
http://www.webappsec.org/projects/articles/091007.shtml
You can download the installation files here: http://www.webappsec.org/projects/articles/091007.zip

Use an example page that has known vulnerabilities to build your mock up. Most of the drive by injectors and their tools are going to have strings to test for that they know will work on subsets of the vulnerable application space.
For instance:
CVE-2011-1546 details one such vuln on something an attacker is likely to find on google. The CVE repos is full of reports such as that, so you've got plenty of pages to build from as examples.
Once you're done getting your honeypot setup, index it on google. Keep it isolated from anything else, and you've got a rudimentary sql injection honeypot.

Related

Blazor WebAssembly EF Core row-level security - pass claims client to server

I'm driving myself mad with this and hoping a better method exists.
The scenario is this: I have written a Blazor Web Assembly application with server hosting. The application needs to implement row-level security (using EF Core) but I need some access permission to be looked up in another database via an API (external supplier so have no control) to be used in the security.
Ideally I'd love the permissions to be managed in AAD but that isn't supported in the external application and is too much overhead to manage manually.
On the client side I use a custom AccountClaimsPrincipalFactory to lookup the correct permissions and create the user claims.
What I'm struggling with is to then to manage this server side, I've looked into using IClaimsTransformation to lookup the claims again but this produces too much overhead as it is called on every request.
I've (not imagining it would work) tried adding claims client side, adding a new identity client side and accessing on the server. All I've really got left I can think of is using the AuthorizationMessageHandler to encrypt values and pass to the server that way as a token, it works as a work around but probably not the best method.
Is there a way to somehow lookup the database values and maintain them within the identity/token so they can just be passed around?
If this is a stupid question, feel free to give me a slap, I've just exhausted my google search terms for it.
Thanks

How can protect PostgREST from sql injection and other security issues?

I want to use PostgREST. It looks save my time a lot. I am worried about the security issues. If anybody has ideas for this, it will be so helpful for me.
You don't need to protect PostgREST from sql injection since it sanitises all user input.
We also ran an automated sql injection detection tool against postgrest and it did not detect anything.
If you still feel uneasy, you can use a WAF solution like https://github.com/p0pr0ck5/lua-resty-waf

connecting to crystal server database

I tried to google this but I failed.
Is there a way (I know it is, found this link but with insufficient details) to connect to crystal server's database?
We are runnig many reports daily which sometimes fail, sometimes don't run at all, we accept this as a part of server imperfection. The issue is, that checking each reports instance through CMC is very inconvenient and time consuming. If I could check it directly in some other way it would be much easier to manage.
The server version is 12.0
While the CMS repository is a plain database, querying it directly (using SQL) is discouraged, unsupported and generally a bad idea.
If you want to query the repository, you have several other options:
Use the built-in Query Builder web application (a web application called AdminTools, normally deployed on your application server). This offers a SQL-like interface for querying the repository, though a lot of SQL features are not available (e.g. table joins). Official documentation is also generally lacking for Query Builder, but if you're interested, there's a very good guide available here.
Use the Java or .NET SDK to query the repository. SDK documentation is available on SAP SCN. This is the most powerful option, but also requires you to do everything yourself. And it will take some time to become familiar with all the different classes and how they relate to the BI Platform.
Use a 3rd-party tool. Different solutions exist, with different feature sets, although it seems that most stopped working when BI4 came out, and the ones that exist usually require a server component as well.
Additional information:
How to browse CMS repository (SAP Wiki)
Query Builder in BO – Browse / Query BO Repository
BusinessObjects Query builder - Basics
Using Query Builder to Explore Your BusinessObjects Repository
You could also more-or-less automate the querying of the repository (although it's very basic) by following the instructions outlined in this blog post.

What is the best way to connect an iphone app to a mysql database?

I want the way with the fastest execution time. I'm not feeling comfortable of using web service because i need to create separate php pages and retrieve data as xml. If you think its good to use web service please tell me why. I want to code my database queries right on my c/objective c pages.
I've been searching for libraries. I saw this sequel pro - won't i have any problems on using this - like licensing issues? I also saw this libmysqlclient of cocoa but some say its not working well. I've also read about a library developed by Karl Kraft found here http://www.karlkraft.com/index.php/2010/06/02/mysql-and-objective-c/ but don't know if i could trust this.
I would really appreciate you help.
Definitely build a web service to act as an abstraction layer to your database. Here are some significant reasons in my opinion:
Since you want speed, you will be able to add caching when using the webservice, so you will essentially eliminate the need for identical queries to run (sometimes).
If you need to change your data model later, you just have to modify the webservice backend and don't have to update your app.
You can better control security by not exposing the database to the world, and keep it safe behind the web service.
Your database credentials should not be stored in an app. What if you needed to change those?
I strongly suggest a web service. Hope this helps.
Connect to your DB by PHP and output the result as JSON
is much better and faster then xml and less coding if use JSON Framework.
and never never try to connect to your DB from your iphone because it easy to sniff out the request from iphone.
Being safe then Sorry, keep that in mind

Which Framework or CMS for Google-Video like site?

I am working on a Web Project similar to Google-Video.
As for now, I want to start coding the site.
I know some PHP, HTML and MySQL.
I already have:
Database built and ready (in MySQL)
Links and Tags in the Database
The thing is, I don't want to code everything from hand.
As I've seen so far, with CMS it's not possible to use my own database. Or am I wrong?
And what Framework would you suggest me?
Looking forward for your advice!
Thanks
You should probably start over, but use your existing DB design as your logical schema to be implemented in the CMS you eventually choose.
Go to http://cmsmatrix.org/ and compare Drupal, Joomla!, eZ Publish and TYPO3 for the best fit for your requirements.
Also, pay attention to the search engine features available with each one. e.g. eZ Publish eZ Find is based on Lucene.
In terms of functionality ( but excluding add management and your specific layout or graphic-design) you should be able to create a reasonable clone within a few hours using eZ. Here is one example http://untoldstories.eu/ezinfo/about