[OpenSIPS-Users] Help dropping SQL injection attacks
Gregory Massel
greg at switchtel.co.za
Thu Nov 30 00:34:59 UTC 2023
Hi all
I'm wondering what the best practice is in terms of detection and
dropping attempted SQL injection attacks?
Is something like the following adequate or can this be enhanced:
if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
drop();
}
Obviously this does not remove the need to escape anything passed to
avp_db_query(), however, what I want to do is identify these sorts of
attacks at the top of the script and avoid processing.
To date all the attacks I've seen focus on the contact and from user, e.g.:
INVITEsip:00111390237920793 at x.x.x.x:5060;transport=UDP SIP/2.0
Contact:<sip:a'or'3=3-- at x.x.x.x:5060;transport=UDP>
To:<sip:00111390237920793 at x.x.x.x;transport=UDP>
From:<sip:a'or'3=3-- at x.x.x.x;transport=UDP>;tag=v2pjtxqb
I'm not quite sure how to match the Contact user. Would the following work?
if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
drop();
}
--
Regards
*Gregory Massel*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20231130/ca1e0cf3/attachment.html>
More information about the Users
mailing list