[OpenSIPS-Users] Help dropping SQL injection attacks

Bogdan-Andrei Iancu bogdan at opensips.org
Wed Dec 6 14:19:32 UTC 2023 

Hi Gregory,

For the grammar of the SIP username, see the 
https://www.ietf.org/rfc/rfc3261.html, page 221 - you have all the 
details there.

For the contact test, yes, it should be correct.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
   https://www.siphub.com

On 05.12.2023 14:45, Gregory Massel wrote:
>
> Thank you Bogdan!
>
> It's worth noting that, if using {s.escape.user}, it won't detect a 
> SQL injection, however, it may detect other potentially problematic 
> characters, so one then has to apply both checks individually, e.g.
>
> if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
> 	xlog ("Rejecting SQL injection attempt received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
> 	send_reply (403,"Forbidden");
> 	exit;
> }
> if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
> 	xlog ("Rejecting request with unusual characters received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
> 	send_reply (403,"Forbidden");
> 	exit;
> }
>
> So above doesn't block UTF-8; it just enforces that it must be 
> received from the client in fully escaped form.
>
> I'm gathering that UTF-8 is actually acceptable for the user part (and 
> most other parts) of the URI, provided that it's encoded with '%'? I 
> work with purely ASCII user parts however, out of interest, was 
> wondering if it is allowable and/or commonplace to use Unicode 
> extended character sets for any portions of the URI in parts of the 
> world where other character sets are more frequently used? From what I 
> could find, it seems that UTF16 is not allowed in the User Part and 
> that the domain would be internationalised using Punycode, so the full 
> URI should always be encoded in ASCII but with UTF-8 (but not UTF-16) 
> permitted in %-encoded form for the user part?
>
> With respect to the Contact header, I'm struggling a bit. Is the 
> syntax below correct?
>
> if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
> 	send_reply (403,"Forbidden");
> 	exit;
> }
> -- 
> Thanks
> *Gregory Massel*
>
> On 2023-12-05 11:33, Bogdan-Andrei Iancu wrote:
>> Hi Gregory,
>>
>> As it is said, there is no single way to skin the cat :). Your 
>> approach is a valid one, by using the escaping transformation. Maybe 
>> you should check the s.escape.user [1].
>>
>> Such checks make sense when using avp_db_query(), so raw queries. The 
>> internal queries (like auth, etc) are done via prepared statements, 
>> so safe to injections.
>>
>> [1] https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user
>>
>> Regards,
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>    https://www.opensips-solutions.com
>>    https://www.siphub.com
>> On 30.11.2023 02:34, Gregory Massel via Users wrote:
>>>
>>> Hi all
>>>
>>> I'm wondering what the best practice is in terms of detection and 
>>> dropping attempted SQL injection attacks?
>>>
>>> Is something like the following adequate or can this be enhanced:
>>>
>>> if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
>>> 	drop();
>>> }
>>>
>>> Obviously this does not remove the need to escape anything passed to 
>>> avp_db_query(), however, what I want to do is identify these sorts 
>>> of attacks at the top of the script and avoid processing.
>>>
>>> To date all the attacks I've seen focus on the contact and from 
>>> user, e.g.:
>>> INVITEsip:00111390237920793 at x.x.x.x:5060;transport=UDP  SIP/2.0
>>> Contact:<sip:a'or'3=3-- at x.x.x.x:5060;transport=UDP>
>>> To:<sip:00111390237920793 at x.x.x.x;transport=UDP>
>>> From:<sip:a'or'3=3-- at x.x.x.x;transport=UDP>;tag=v2pjtxqb
>>> I'm not quite sure how to match the Contact user. Would the 
>>> following work?
>>> if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
>>> 	drop();
>>> }
>>> -- 
>>> Regards
>>> *Gregory Massel*
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20231206/b6df45c0/attachment.html>

More information about the Users mailing list