Browse Prior Art Database

Mitigation of SQL Injection on RBDMS environments by using random data and lazy retrieval

IP.com Disclosure Number: IPCOM000245144D
Publication Date: 2016-Feb-12
Document File: 2 page(s) / 70K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a system and method to mitigate SQL injection attacks on RDBMS environments. The system is integrated in the RDBMS environment and the method diverts the attacker actions to a virtual table that performs slow return of random generated data according to the specifications of the query.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Page 01 of 2

Mitigation of SQL Injection on RBDMS environments by using random data and lazy retrieval

SQL Injection attacks (SQLI) is a problem that most databases needs to face. By using SQLI, hackers can steal information of users, credit card numbers, passwords etc...

    The solution disclosed mitigates the impact of these attacks on databases by using two concepts in an new way: random data retrieval and lazy data retrieval.

    The method contains two parameters in order to control the mitigation system. The first parameter is call "sqli_mitigation_delay", that stands for the number of miliseconds between record retrieval. The second parameter is call "sqli_mitigation_time" that is the maximum amount of time during which records are returned. A third parameter "sqli_mitigation" is implemented as a binary (boolean) value to control the activation and deactivation of the system. The parameters sqli_mitigation_delay and sqli_mitigation_time have positive values, such as sqli_mitigation_delay = 1000 and sqli_mitigation_time = 18000. Both of them in milliseconds. And the parameter sqli_mitigation (on/off) to enable or disable the solution disclosed. The method needs to have the three parameters setup.

    The method relies on an external detection system able to detect SQL injected statements, this system is out of scope of disclosed solution. There are currently in the market NIDS systems that can be used for the purposes of flagging

which SQL sentences are injected.

    The advantage of...