<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="monospace">Hi Gregory,<br>
<br>
As it is said, there is no single way to skin the cat :). Your
approach is a valid one, by using the escaping transformation.
Maybe you should check the s.escape.user [1]. <br>
<br>
Such checks make sense when using avp_db_query(), so raw queries.
The internal queries (like auth, etc) are done via prepared
statements, so safe to injections.<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user">https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user</a><br>
<br>
Regards,<br>
</font>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext" href="https://www.opensips-solutions.com">https://www.opensips-solutions.com</a>
<a class="moz-txt-link-freetext" href="https://www.siphub.com">https://www.siphub.com</a></pre>
<div class="moz-cite-prefix">On 30.11.2023 02:34, Gregory Massel via
Users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d762af95-cf4a-4015-9a9c-1ce42d2cd0dc@switchtel.co.za">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hi all</p>
<p>I'm wondering what the best practice is in terms of detection
and dropping attempted SQL injection attacks?</p>
<p>Is something like the following adequate or can this be
enhanced:</p>
<pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
drop();
}
</pre>
<div class="moz-signature">Obviously this does not remove the need
to escape anything passed to avp_db_query(), however, what I
want to do is identify these sorts of attacks at the top of the
script and avoid processing.</div>
<div class="moz-signature"><br>
</div>
<div class="moz-signature">To date all the attacks I've seen focus
on the contact and from user, e.g.:</div>
<div class="moz-signature">
<pre>INVITE <a class="moz-txt-link-freetext"
href="sip:00111390237920793@x.x.x.x:5060;transport=UDP"
moz-do-not-send="true">sip:00111390237920793@x.x.x.x:5060;transport=UDP</a> SIP/2.0
Contact: <a class="moz-txt-link-rfc2396E"
href="sip:a'or'3=3--@x.x.x.x:5060;transport=UDP"
moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x:5060;transport=UDP></a>
To: <a class="moz-txt-link-rfc2396E"
href="sip:00111390237920793@x.x.x.x;transport=UDP"
moz-do-not-send="true"><sip:00111390237920793@x.x.x.x;transport=UDP></a>
From: <a class="moz-txt-link-rfc2396E"
href="sip:a'or'3=3--@x.x.x.x;transport=UDP"
moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x;transport=UDP></a>;tag=v2pjtxqb</pre>
</div>
<div class="moz-signature">I'm not quite sure how to match the
Contact user. Would the following work?</div>
<div class="moz-signature">
<pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
drop();
}
</pre>
</div>
<div class="moz-signature">-- <br>
<span style="font-size:11.0pt;font-family:Assistant;color:black">Regards<br>
</span> <span
style="font-size:11pt;font-family:Assistant;color:#44546A"> <b>Gregory
Massel</b></span><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>