Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

PostHeaderIcon [DefCon32] SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level

Author: Jonathan Lalou | January 6, 2025

Despite advancements in database security, SQL injection persists through novel vectors. Paul Gerste, a security researcher, introduces protocol-level smuggling attacks, bypassing prepared statements by targeting database wire protocols. His research at [redacted], leveraging vulnerable driver libraries, demonstrates how attackers can inject malicious (No)SQL statements, leading to authentication bypasses, data leaks, and remote code execution.

Paul reimagines HTTP request smuggling for binary protocols, desynchronizing applications and databases. By manipulating message boundaries, attackers insert unauthorized queries, exploiting flaws in protocols like MySQL and PostgreSQL. His findings extend beyond databases, impacting message queues and caching systems, revealing a pervasive attack surface.

The talk explores real-world implications across programming languages and frameworks, offering insights into mitigating these threats and inspiring further protocol research.

Protocol Smuggling Mechanics

Paul illustrates how wire protocols, using length-based message fields, are susceptible to manipulation. By crafting oversized payloads, attackers trigger integer overflows, disrupting message parsing. A Go-based HTTP handler, assumed secure with prepared statements, falls to this attack, allowing query injection.

Demonstrations show desynchronization, where malicious messages execute as legitimate queries, bypassing application-layer defenses.

Real-World Applicability

Testing across languages like Python, Java, and Node.js, Paul finds varying resilience. Frameworks with strict input validation fare better, but many database drivers remain vulnerable. He identifies MySQL’s driver as particularly prone, with four-byte length fields enabling large payload exploits.

Caching systems and message queues, like Redis and RabbitMQ, exhibit similar flaws, broadening the attack’s scope.

Mitigation Strategies

Paul proposes robust input validation and size limits to thwart smuggling. Developers must prioritize protocol-level checks, avoiding assumptions about memory-safe languages. Integer overflows, often overlooked, enable these attacks, necessitating renewed scrutiny.

He advocates auditing driver libraries and enforcing strict message boundaries to restore database integrity.

Future Research Directions

Paul encourages exploring two-byte length fields, which ease exploitation, and delimiter-based protocols for alternative vulnerabilities. Large payload techniques could bypass framework restrictions, warranting further investigation.

His tools, shared for pentesting, empower researchers to probe additional protocols, ensuring comprehensive security.

Links:

Posted in en-US | Tags: , , , , ,

Leave a Reply

(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.