Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SQL injection hacks


i am a bit disappointed by the ability of cisco IPS to block sql injections, even with the new added generic sql injection signatures not long ago, still websites hosted with us are being hacked.

i know its vulnerabilities in the sites, but the command update is a lot used to hack sites, i have created a custom signature that catches "update" in small and caps, but i was surprised yesterday that the hacker used "u%pdate" and it bypassed the sensor !!

any thoughts on the subject



Re: SQL injection hacks

Interesting. I'm so not a SQL expert, but I don't see how "u%pdate" is valid SQL. Why would the database interpret "u%pdate" as valid SQL? Is the application cleaning up the input before passing to the db?

IMHO, if your customers have vulnerable apps, then they need to fix them. A network based IDS simply isn't going to be the best at detecting every possible variation of injection (or anything else imo, but that's a whole different soap box). It just doesn't have the required context. Throw TLS into the mix, and most of the time coverage drops to zero.

New Member

Re: SQL injection hacks

well we are still investigating how "u%pdate" was interpreted to be a valid SQL statement, but i have to emphasize again that the cisco IPS is quite behind in signatures regarding sql injection, i was just checking Tippingpoint yesterday and it has more than 25 signatures on sql injection, it has a signature for each sql command, update, select ...

the cisco IPS engineers should really know this don't you think ?


Re: SQL injection hacks

I agree. now they do;-)