This type of attack allows an attacker to inject code into a program or query or inject malware onto a computer in order to execute remote commands that can read or modify a database, or change data on a web site.
| Attack type | Attack description |
|---|---|
| Blind SQL Injection | Allows an attacker to use an error page returned by the database server to ask a series of True and False questions using SQL statements in order to gain total control of the database or execute commands on the system. |
| Blind XPath Injection | Allows an attacker who does not know the structure of an XML document to use methods that attempt to determine the structure of the document. |
| Buffer Overflow | Alters the flow of an application by overwriting
parts of memory. Reference: See Buffer overflow attacks for more information about this type of attack.
|
| Format String Attack | Alters the flow of an application by using string
formatting library features to access other memory space. In this type of attack, data provided by users might be used as formatting string input for certain C/C++ functions (for example: fprintf, printf, sprintf, setproctitle, syslog). |
| LDAP Injection | Exploits web sites that construct LDAP (Lightweight
Directory Access Protocol) statements from data provided by users. In this type of attack, an attacker might modify LDAP statements using a local proxy in order to execute arbitrary commands (granting permissions to unauthorized queries) or modify the content of the LDAP tree. |
| OS Commanding | Exploits web sites by injecting an operating
system command through an HTTP request to the web application. In this type of attack, an attacker might upload malicious programs or obtain passwords. |
| SQL Injection | Takes advantage of the SQL syntax to inject
commands that can read or modify a database, or compromise the meaning
of the original SQL query. In this type of attack, an attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; become the Administrator of the database server. |
| SSI Injection | Allows an attacker to send code to a web application,
which will later be executed locally by the web server. In this type of attack, an attacker exploits the failure of the web application to filter data provided by users before it inserts that data into a server-side interpreted HTML file. |
| XPath Injection | Exploits web sites that allow an attacker to
inject data into an application in order to execute XPath queries.
(XPath is a query language that describes how to locate specific elements,
such as attributes or processing instructions in an XML document.) In this type of attack, the attacker might be able to bypass authentication or access information without needing proper authorization. |
| Signature name | Description | More information |
|---|---|---|
| HTTP_GET_ComputeSum | Detects attempts to execute the database command COMPUTE
SUM through an HTTP GET request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM® X-Force®: HTTP GET contains compute%sum |
| HTTP_GET_CreateTable | Detects attempts to execute the database command CREATE
TABLE through an HTTP GET request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP GET contains create%table |
| HTTP_GET_GroupBy | Detects attempts to execute the database command GROUP
BY through an HTTP GET request. Known false positives: A false positive for
this signature is possible when a user sends a request to an HTTP
server that contains a string of group by or group+by.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP GET contains group%by |
| HTTP_GET_SQL_Convert_Int | Detects the SQL command of convert(int,...) through
HTTP GET requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL Injection CONVERT statement usage |
| HTTP_GET_SQL_OpenRowSet | Checks HTTP GET requests for usage of the OPENROWSET SQL
statement. Note: This does not necessarily indicate there is an attack
on the network, but it might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "OPENROWSET" statement usage |
| HTTP_GET_SQL_Select_Count | Detects the SQL command of select
count(*) through HTTP GET requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL injection SELECT count detected |
| HTTP_GET_SQL_Select_Top_1 | Detects the SQL command of select
top 1 through HTTP GET requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL injection SELECT count detected |
| HTTP_GET_SQL_UnionAllSelect | Checks HTTP GET requests for usage of the UNION
ALL SELECT SQL statement. Note: This does not necessarily
indicate there is an attack on the network, but it might be an attempt
at SQL injection.
Reference: See
the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONALLSELECT" statement usage |
| HTTP_GET_SQL_UnionSelect | Checks HTTP GET requests for usage of the UNION
SELECT SQL statement. Note: This does not necessarily
indicate there is an attack on the network, but it might be an attempt
at SQL injection.
Reference: See
the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONSELECT" statement usage |
| HTTP_GET_SQL_WaitForDelay | Checks HTTP GET requests for usage of the WAITFOR
DELAY SQL statement. Note: This does not necessarily
indicate there is an attack on the network, but it might be an attempt
at SQL injection.
Reference: See
the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "WAITFORDELAY" statement usage |
| HTTP_GET_XP_Cmdshell | Detects attempts to execute the sqlServer
xp_cmdshell function through an HTTP GET request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP URL contains an SQL xp_cmdshell command shell request |
| HTTP_IIS_MSSQL_xml | Checks for an HTTP GET request matching either
the pattern *.xml or an SQL injection
using FOR XML with the contenttype argument
exceeding more than 239 characters. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Microsoft SQL Server SQLXML ISAPI buffer overflow |
| HTTP_IIS_MSSQL_XML_Script | Checks for an HTTP GET matching the pattern *.xml with
an argument containing script injection. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Microsoft SQL Server SQLXML XML tag script injection |
| HTTP_POST_ComputeSum | Detects attempts to execute the database command COMPUTE
SUM through an HTTP POST request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST contains compute%sum |
| HTTP_POST_CreateTable | Detects attempts to execute the database command CREATE
TABLE through an HTTP POST request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST contains create%table |
| HTTP_POST_GroupBy | Detects attempts to execute the database command GROUP
BY through an HTTP POST request. Known false positives: A false positive for
this signature is possible when a user sends a request to an HTTP
server that contains a string of group by or group+by.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST contains group%by |
| HTTP_POST_SQL_Convert_Int | Detects the SQL command of convert(int,...) through
HTTP POST requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL Injection CONVERT statement usage |
| HTTP_POST_SQL_OpenRowSet | Checks HTTP POST requests for usage of the OPENROWSET SQL
statement. Note: This does not necessarily indicate there is an attack
on the network, but it might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "OPENROWSET" statement usage |
| HTTP_POST_SQL_Select_Count | Detects the SQL command of select
count(*) through HTTP POST requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL injection SELECT count detected |
| HTTP_POST_SQL_Select_Top_1 | Detects the SQL command of select
top 1 through HTTP POST requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL injection SELECT statement usage |
| HTTP_POST_SQL_WaitForDelay | Checks HTTP POST requests for usage of the WAITFOR
DELAY SQL statement. Note: This does not necessarily
indicate there is an attack on the network, but it might be an attempt
at SQL injection.
Reference: See
the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "WAITFORDELAY" statement usage |
| HTTP_POST_SQL_UnionAllSelect | Checks HTTP POST requests for usage of the UNION
ALL SELECT SQL statement. Note: This does not necessarily
indicate there is an attack on the network, but it might be an attempt
at SQL injection.
Reference: See
the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONALLSELECT" statement usage |
| HTTP_POST_SQL_UnionSelect | Checks HTTP POST requests for usage of the UNION
SELECT SQL statement. Note: This does not necessarily
indicate there is an attack on the network, but it might be an attempt
at SQL injection.
Reference: See
the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONSELECT" statement usage |
| HTTP_POST_XP_Cmdshell | Detects attempts to execute the sqlServer
xp_cmdshell function through an HTTP POST request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST command contains SQL command shell request |
| HTTP_Shells_C | Detects attempts to cause the C shell to execute
commands. This signature detects any calls to the C shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| HTTP_Shells_Ksh | Detects attempts to cause the Korn shell to
execute commands. This signature detects any calls to the Korn shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| HTTP_Shells_Perl | Detects attempts to cause the Perl shell to
execute commands. This signature detects any calls to the Perl shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| HTTP_Shells_Perl_Exe | Detects attempts to cause the Perl shell to
execute commands. This signature detects any calls to the Perl shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| HTTP_Shells_Rksh | Detects attempts to cause the restricted Korn
shell to execute commands. This signature detects any calls to the restricted Korn shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| HTTP_Shells_Sh | Detects attempts to cause the Bourne shell to
execute commands. This signature only detects calls to the Bourne shell in the cgi-bin directory. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| HTTP_Shells_Tcsh | Detects attempts to cause the tcsh shell to
execute commands. This signature detects any calls to the tcsh shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
| LDAP_Injection | Detects attempts to compromise web sites that construct LDAP (Lightweight Directory Access Protocol) statements from data provided by users. | |
| Shell_Command_Injection | Detects a Shell Command injection attempt by
combining commands and symbols used in shell programming languages. In the default configuration, shell commands will be scored only when one of the pedantic (escape) values as defined by the pam.injection.shell.pedantic tuning parameter is matched, or when a directory traversal attempt is detected. In either of those cases, an attempt is made to score shell commands and symbols. pam.injection.shell.pedantic: This tuning parameter affects the Shell_Command_Injection signature by requiring that one of the following patterns precede a shell command: '`' (back-tick), '$(' (dollar + open parentheses) , '||' (double pipe), '&&' (double ampersand) , or ';' (semi-colon). When this tuning parameter is disabled, then all tokens will be scanned for shell commands. Disabling this tuning parameter will most likely lead to a substantial increase in false positives. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Shell command injection attempt detected |
| SQL_Injection | Heuristically detects SQL injection attempts
by weighing various Data Definition statements, Data Manipulation
statements, operators, functions, keywords, and symbols of the SQL
programming language. pam.parser.argument.injection.enabled Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL Injection affects multiple database-backed applications |
| SQL_Jet_Query_Overflow | Searches for a SQL query with excessive SQL
token delimiters potentially allowing an attacker to overflow the Microsoft Jet Database engine. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Microsoft Jet Database Engine query could execute code |
| XPATH_Injection | Triggers when well known boolean injection patterns
are detected. In the absence of an SQL Injection event, it is more likely that an XPATH injection attempt has been made. pam.injection.http.headers.enabled:
Determines whether injection attempts (SQL, Shell, XSS, XPATH, LDAP)
will be detected in HTTP headers, such as Cookie: and Referer:.
Note: Disabling this tuning parameter will result in a performance
improvement.
pam.injection.http.hostpath.enabled:
Determines whether injection attempts (SQL, Shell, XSS, XPATH, LDAP)
will be detected in the //host/path/filename portion
of the HTTP URL.
Note: Disabling this tuning parameter will result
in a performance improvement.
pam.parser.argument.injection.enabled: Turns the Injection Logic Engine ON or OFF. This affects all SQL injection signatures, all Shell Command injection signatures, and all cross-site scripting injection signatures. The default value for this tuning parameter is enabled. pam.injection.param.ignore: Defines a parameter name to ignore when performing inspection for SQL injection, Shell Command injection, cross-site scripting, and other related attacks. |
IBM X-Force: XPath injection attempt detected |