Home

About GreenSQL

What is GreenSQL?

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a reverse proxy and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.

GreenSQL Architecture

GreenSQL works as a reverse proxy for MySQL connections. It means, that instead of MySQL server, your applications will connect to GreenSQL server. GreenSQL will analyze SQL queries and forward them to the back-end MySQL server.

The following picture describes the whole process.
GreenSQL ArchitectureGreenSQL Architecture

As you can see, GreenSQL calls real database server to execute SQL commands and web application connects to GreenSQL server as if it is a real database server.

GreenSQL can be installed together with database server on the same computer or it can use a distinct server. By default GreenSQL listens on local port 127.0.0.1:3305 redirecting SQL requests to 127.0.0.1:3306 (default MySQL settings). This settings could be altered using GreenSQL Console.

How GreenSQL finds illegal queries?

The GreenSQL database firewall provides database protection using a number of methods:

  • Blocking administrative and sensitive SQL commands.
  • Calculating risk of each query and blocking queries with high risk.

If the query is considered illegal - whitelist is check. If it was found in the whitelist, it will be redirected to genuine MySQL server. If it was not found, an empty result set will be send to application.

Blocking administrative and sensitive SQL commands

GreenSQL uses a pattern matching engine to find commands that are considered "illegal". Basically this is a signature-based subsystem. For example, by default, GreenSQL blocks database administrative commands. As a result, any commands that will try to change db structure will be blocked. In addition, GreenSQL blocks commands used to access system files. Administrator can also approve "illegal" query by adding it to the whitelist or by altering configuration file with a list of "illegal" commands.

Calculating risk of each query and blocking queries with high risk.

For each query GreenSQL calculates its risk. Basically this is anomaly detection subsystem. After the risk is calculated GreenSQL can block the query or just create a warning message. There are a number of factors that are taken into account when calculating risk. For example:

  • Access to sensitive tables increases risk query (users, accounts, credit information)
  • Comments inside SQL commands increases query risk
  • Usage of an empty password string
  • Found ‘or’ token inside query
  • Found SQL expression that always return true (SQL tautology)
  • Comparison of constant values (SQL tautology)
  • ...

In order to find anomalies GreenSQL uses it's own SQL language lexer to find SQL tokens.

How commands are blocked?

When GreenSQL determines that a query should be blocked it will generate an empty resultset send back to the application so it can continue gracefully.

How Whitelist works?

Each time GreenSQL considers a SQL query as a security risk - it is blocked. You can alter this behavior for a specific query by explicitly adding it to the whitelist.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo

Back to top