Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Use PPI to Find SQL Injection Attacks

by Ovid (Cardinal)
on Aug 14, 2007 at 15:15 UTC ( #632518=CUFP: print w/replies, xml ) Need Help??

This is a quick and dirty PPI hack I threw together, but it attempts to spider through your codebase and look for SQL injection attacks. It returns some false positives, but that's better than false negatives. It could use some work, particularly since identifying something as SQL is difficult.

#!/usr/local/bin/perl use strict; use warnings; use File::Find::Rule; use PPI; my $extensions = join '|' => qw(pm pl cgi); my @files = File::Find::Rule->file->name(qr/\.(?:$extensions)$/)->in(' +.'); $| = 1; my $files = @files; my $count = 1; my $bad_files = 0; my $total_attacks = 0; foreach my $file (@files) { warn "Processing ($file) $count out of $files\n"; $count++; my $quotes = extract_quotes($file); my $injections = find_injections($quotes); if (@$injections) { $bad_files++; $total_attacks += @$injections; my $possibles = join "\n--\n\t" => @$injections; print "\nFile $file might have injection attacks:\n\n\t$possib +les\n"; } } print <<"END_SUMMARY"; Summary ------- Out of $files files analyzed: $bad_files file(s) might have SQL injection attacks. $total_attacks attack(s) may have been present. END_SUMMARY sub find_injections { my $quotes = shift; my @injections; foreach my $quote (@$quotes) { next unless $quote =~ /^\s*(?:select|insert|update|delete)/i; if ( $quote =~ /=\s*'?[\$\@]/ ) { # won't catch interpolated field names push @injections => $quote; } } return \@injections; } sub extract_quotes { my $file = shift; my $doc = PPI::Document->new( $file, readonly => 1 ); unless ($doc) { warn "Could not create a document for ($file). Skipping"; return []; } return [ map { $_->can('string') ? $_->string : $_->heredoc } @{ $doc->find('Token::Quote') || [] }, @{ $doc->find('Token::HereDoc') || [] } ]; } sub slurp { my $file = shift; open my $fh, '<', $file or die "Cannot open ($file) for reading: $ +!"; local $/; my $contents = <$fh>; return $contents; }


New address of my CGI Course.

Replies are listed 'Best First'.
Re: Use PPI to Find SQL Injection Attacks
by jZed (Prior) on Aug 14, 2007 at 18:14 UTC
    Unless I'm misreading, some of the more serious false negatives include:
    $dbh->do(qq{ /* comment */ INSERT INTO foo VALUES('$bad_stuff') }); $dbh->do(qq{ INSERT INTO foo VALUES($bad_stuff) }); $dbh->do( sprintf( "INSERT INTO foo VALUES(%s)", $bad_stuff ));
    A better approach might be to find all the prepare() and do() statements and run them through a safe DBI subclass that does the prepare and evaluates what it prepared.

      Excellent points on the SQL. I like the DBI subclass idea. Can you point me to some examples? I've never tried to do anything like that before.


      New address of my CGI Course.

        A minimal DBI subclass can be found here: Interpolate binds into SQL on error - DBI subclassing (possibly not the best example but since I wrote it I knew where to find it :-)). Basically you'd need to redefine execute() to do nothing, and redefine prepare() (in MyDBI::db) to do your injection checking.
Re: Use PPI to Find SQL Injection Attacks
by tinita (Parson) on Aug 15, 2007 at 07:51 UTC
    and how about TaintIn in DBI? this should also find possible security holes.
    DBI->connect($dsn, $user, $pass, { TaintIn => 1 });

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: CUFP [id://632518]
Approved by McDarren
Front-paged by Corion
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (2)
As of 2021-12-08 23:16 GMT
Find Nodes?
    Voting Booth?
    R or B?

    Results (36 votes). Check out past polls.