[OpenSIPS-Users] Help dropping SQL injection attacks

Tue Dec 5 09:33:24 UTC 2023

Hi Gregory,

As it is said, there is no single way to skin the cat :). Your approach 
is a valid one, by using the escaping transformation. Maybe you should 
check the s.escape.user [1].

Such checks make sense when using avp_db_query(), so raw queries. The 
internal queries (like auth, etc) are done via prepared statements, so 
safe to injections.

[1] https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
   https://www.siphub.com

On 30.11.2023 02:34, Gregory Massel via Users wrote:
>
> Hi all
>
> I'm wondering what the best practice is in terms of detection and 
> dropping attempted SQL injection attacks?
>
> Is something like the following adequate or can this be enhanced:
>
> if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
> 	drop();
> }
>
> Obviously this does not remove the need to escape anything passed to 
> avp_db_query(), however, what I want to do is identify these sorts of 
> attacks at the top of the script and avoid processing.
>
> To date all the attacks I've seen focus on the contact and from user, 
> e.g.:
> INVITEsip:00111390237920793 at x.x.x.x:5060;transport=UDP  SIP/2.0
> Contact:<sip:a'or'3=3-- at x.x.x.x:5060;transport=UDP>
> To:<sip:00111390237920793 at x.x.x.x;transport=UDP>
> From:<sip:a'or'3=3-- at x.x.x.x;transport=UDP>;tag=v2pjtxqb
> I'm not quite sure how to match the Contact user. Would the following 
> work?
> if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
> 	drop();
> }
> -- 
> Regards
> *Gregory Massel*
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20231205/3b9f3100/attachment.html>