Due to circumstances currently beyond my control, this web-based demonstration is disabled. However, Dejector is now in production: you can grab your own copy at http://sourceforge.net/projects/libdejector. The original demo code is preserved here for posterity.
What's this all about, then?
Hi. You're here to test out Dejector, a new approach to thwarting SQL injection attacks. To get an idea of how Dejector works, you can start by reading the paper by Robert J. Hansen and Meredith L. Patterson. Then, have a look at the Python source, which is ugly and relies heavily on a tweaked version of PyBison by David McNab.
I don't care how it works, I just want to break stuff.
Be our guest, cowboy. We'll even give you some hints to get started.
- The form below passes a variable into an SQL insert statement, namely:
INSERT INTO myTable VALUES ($foo);In this case, $foo is intended to be a numeric value. Your job is to trick Dejector into accepting anything else: extra commands, extra arguments in the VALUES list, a comment, an expression, a string, whatever.
- We're using a weird dialect of SQL, namely the variant on SQL89 featured in Lex and Yacc from O'Reilly Publishing. We had to make some trivial changes for compatibility with PyBison, but they don't change the grammar itself. There are some substantial differences between this version of SQL and what you might be used to in MySQL or PostgreSQL, so you may wish to look at the source:the lexer (flex)This is a proof of concept; a real-world implementation will be built against the lexer and parser of a real-world RDBMS.
the parser (bison)
the parser in human-readable format
the PyBison parser (generated by bison2py)
What's an example?
First, try submitting just a single numeric value, like 42, or 3.14159. It should work just fine, and you'll see the parse tree for the known-good (or "exemplar") query next to the parse tree for the query you submitted. See how they have the same nodes, and differ only in the INTNUM value (or not at all, if you submitted 1)?
Now, try submitting a string like
1); INSERT INTO foo VALUES (1000
This attempts to tack an extra command onto the sequence. It fails, and shows you the (much larger) parse tree for what you submitted.
As you should already know from the whitepaper, this is how Dejector works -- by comparing a parse of the entire SQL query you're submitting to an exemplar parse tree.
Okay, I'm ready for some Dejection.
N.B.: if you get a ParserSyntaxError, reload the page; something's twitchy with my mod_python install.
Will you release this as a package? How about some documentation?
PyBison has some really annoying linking problems that make it hard to use without one dirty hack or another. Briefly, it builds and links to a shared library, but the way that it searches for that shared library, you end up either having to set LD_LIBRARY_PATH -- which is generally Considered Harmful, and doesn't work with programs which are setuid root in the first place -- or drop the library someplace where ldconfig can find it and put an identically named placeholder in whatever directory your script is running in. (As you might imagine, this is easy on the command line, but a pain in the ass with a chroot'ed Apache.) I may fix this at some point, but it's not a huge priority for me.
My current plan is to throw together some notes on what I had to do to set up this testbed, but these should not be construed as a way to use Dejector in a production environment. Dejector is not ready for prime time.
I'm working on a proper library, and will also put together SWIG wrappers for Python, PHP, and any other languages people care about.