Exam 312-50v12 topic 1 question 218 discussion

When an IDS relies on fixed signatures to detect typical SQL injection patterns, using string concatenation to obfuscate SQL keywords (for example, writing "SEL" + "ECT" instead of "SELECT") can effectively bypass those signatures. This method alters the appearance of the SQL payload without affecting its functionality once processed by the database. In contrast, techniques like case variation are often normalized by the IDS, and hex encoding might be decoded during inspection. IP fragmentation is generally not effective for SQL injection payloads, as it is more suited for network-layer evasion.

String concatenation is more effective because it splits up SQL keywords into multiple pieces that are much harder for an IDS to recognize as part of a known attack. For example, splitting SELECT into S + E + L + E + C + T makes it difficult for the IDS to match the attack pattern because the SQL keyword is now fragmented and unrecognizable to signature-based detection.

String concatenation effectively disrupts the recognizable structure of SQL keywords while ensuring the payload remains syntactically valid.

Ok D but why not C? it also evade IDS and chatGPT says is more easy to implement

I would go with D because A is more specific with bypassing network traffic...

The most efective "D. Use Hex encoding to represent the SQL query string" Hex encoding is an evasion technique that uses hexadecimal encoding to represent a string. Attackers use hex encoding to obfuscate the SQL query so that it will not be detected in the signatures of security measures, as most IDS do not recognize hex encodings. Attackers exploit such IDS to bypass their SQL injection crafted inputs. Hex encoding provides countless ways for attackers to obfuscate each URL.

D: Module 15, it has its own section.

Might be D because A can't be a good answer. The server IS sending to the bdd so can't be splitted

C. Leverage string concatenation to break identifiable keywords: String concatenation involves splitting SQL keywords and data within the injection payload, making it harder for signature-based IDS systems to match the payload against known SQL injection patterns. This technique can effectively obscure the malicious SQL code, making it less likely to be detected by signature-based detection mechanisms.

D. Hex encoding involves representing characters in hexadecimal format, which can help obfuscate the SQL query string. By encoding the SQL injection payload in hexadecimal, an attacker can evade signature-based detection mechanisms that typically rely on detecting specific SQL injection patterns or keywords. Its not A, because IP fragmentation is more related to evading network-based detection mechanisms, and it may not be as effective against signature-based detection focused on SQL injection patterns.

Options B (case variation) and D (Hex encoding) are the most effective strategies for bypassing IDS signature detection during SQL injection attacks. If I have to choose one I vote D

I think it's A: (Module 15 Page 2334) Evasion Technique: IP Fragmentation An attacker intentionally splits an IP packet to spread the packet across multiple small fragments. Attackers use this technique to evade an IDS or WAF. For an IDS or WAF to detect an attack, it must first reassemble the packet fragments. Usually, it is impossible to find a match between the attack string and a signature as each packet is checked individually. These small fragments can be further modified to complicate reassembly and detection of an attack payload.

D. Use Hex encoding to represent the SQL query string

I think its D