I am planning to use log parser to daily scan on of my clients servers for any signs of sql injection or other injections. What kind of signs would you look for? So far i have come up with single quote ' or brackets used in the cs-uri-query Have i missed out on any?
I am not talking about a forum, its an application on of my client has made himself however it is quite large and certain parts of the site are not handling user input to make it safe, however i thought if i can premptively monitor the logs than i can watch for signs of SQL injections.
Depending on how the application works the logs may not tell you a lot. If the app uses parameters passed via GET your access logs will show the attempts. If you use POST you may not see much of anything. Your client should make an effort to fix his application.
if you're using Apache, look into mod_security which offers an extensive set of logging and filtering features.
In the general case you could use a scanner such as Nikto and Nessus to do proactive scanning: http://www.cirt.net/code/nikto.shtml http://www.nessus.org/
Thanks for all the info, i have used nessus before however nessus does not help much with web application detection unless i missed something. At the moment the site is on a iis 6 server. I am using logparser to scan for certain characters in the get requests. I know i cant do much for post unless i implement and ids or something,
just search for backtrack 2.0 in google. it's good for penetration testing. i cant post links for now. sorry.
You can modify your Apache logs to log the POST string as well as the GET string. You should be aware that this will log all POST variables including passwords in clear text. Format spec in the Apache Docs Since IP addresses are apparently "personally identifiable information" these days, you should probably be treating your access logs as if they had passwords in them anyway. I would probably try looking at SQL logs instead of Apache logs. When people are feeling their way through a vulnerable form looking for SQL injections they will often add things like ' OR 1=1; -- Code (markup): which will return every row in the table. This is likely to take a long time to return and may well end up in your MySQL slow logs. It's good practice to look through your MySQL slow logs anyway. Another thing you could do would be to turn on binary logging in MySQL and use mysqlbinlog to examine them. This will cause every SQL query to be written to disk which will have an impact on the performance of your server however it will likely be a very small impact. Once you have binary logging enabled, write a script that greps out all the normal queries that your client's application makes and run it over the binary logs each day. If you see a query that doesn't match the regular expressions you have defined as "normal" then either your client has written a new SQL query or someone else has access to your database.
an alternative to mod_security ,may be "snort" I am no snort - pro but as far as I understand snort, it's real time filtering with the option to ground OR log access containing certain ( wrong ) strings as used by hackers. as below listed by others before - this would require you to know which strings are to be considered "normal" to create your filter for all "other" strings. snort thus is to PREVENT hack/injections when used beyond its logging features.