Thursday, 29 October 2015

How to detect SQL Injection at SQL Server level (via SQL Errors)

Question: how to detect SQL injection on an high-volume SQL Server just by looking at SQL Queries errors?

I know some guys (like ETSY) are doing this, but when I was talking with some MS SQL Server DBAs today, they couldn't find an easy way to do it at the SQL server.

The logic is that there should be no SQL compilation errors in an Production SQL server, so any errors that occur, must be:
  1. a nasty bug
  2. an SQL Injection being triggered by accident
  3. an SQL Injection attack

Since it is really hard for an attacker to perform an SQL Injection without triggering an SQL Error at least ONCE, monitoring for SQL errors is a great way to proactively detect attacks (which is what Dan and Zane talk about in this video

Ideally this should be detected at SQL Server level since that will make sure that all possible scenarios are covered. The alternative is to try to detect it via AppDynamics, or on the server logs, or at the Java code (which will require code changes).