SQLi DB Dump

SQLi Database Dump Prevention

Prevention against SQL injection database dump using IPS/WAF. Signatures of last resort discovering fake DB entries.


Idea

Put in your database fake entries (those entries should be very long and cannot be used in normal work). WAF will react on those entries (they will appear on db dump) and block all connections for some time. Without banning IP evil guy will be able dump all tables without our fake entries.
Keep multiple entries in all critical tables - at beginning, at end and some in the middle to block dump as soon as possible. See screenshots.
You can create fake db users, tables, table entries, databases etc. Depending where will you place probe you will get different results.



ModSecurity Rules


# web users
SecRule ARGS|RESPONSE_BODY "TESTUSER_TESTSUPERADMIN_IPS_PROFILE_DETECT_NOTENABLED_123321123"
"id:1000003,block,phase:4,msg:'DB Dump',setvar:ip.ban=+1,expirevar:ip.ban=60"


# fake table
SecRule ARGS|RESPONSE_BODY "TABLE_TEST_TEST_TEST_TEST_TABLE_IPS_123_321_IPS_TEST"
"id:1000002,block,phase:4,msg:'DB Dump',setvar:ip.ban=+1,expirevar:ip.ban=60"


# fake user
SecRule ARGS|RESPONSE_BODY "FAKE_USER_TEST_TEST_TEST_IPS_TEST_123_321_FAKE"
"id:1000001,block,phase:4,msg:'DB Dump',setvar:ip.ban=+1,expirevar:ip.ban=60"


# 60 seconds ban
SecRule ip:ban "@gt 0" "id:1000000,phase:2,block,msg:'IP BAN'"

Results

Table "web_user":



Interupted dump:





Log:


--297b6153-H--
Message: Access denied with code 403 (phase 4). Pattern match "TESTUSER_TESTSUPERADMIN_IPS_PROFILE_DETECT_NOTENABLED_123321123" at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_custom_20_db_dump.conf"] [line "16"] [id "1000003"] [msg "DB Dump"]
Action: Intercepted (phase 4)
Apache-Handler: application/x-httpd-php
Stopwatch: 1417971193180378 85899 (- - -)
Stopwatch2: 1417971193180378 85899; combined=2198, p1=1331, p2=96, p3=46, p4=124, p5=314, sr=443, sw=287, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache/2.4.7 (Ubuntu)
Engine-Mode: "ENABLED"



Download

Download php page, database and rules here