Exam 312-39 topic 1 question 37 discussion

One common way to perform a SQL injection attack is to use SQL queries that manipulate the database to obtain sensitive information or to perform actions that can be harmful to the application or the underlying system. The regular expression in question matches a pattern of SQL queries that are commonly used in SQL injection attacks to bypass input validation. The regular expression looks for a pattern that includes a single quote (either with URL encoding %27 or the actual character '), followed by the letter o (either with URL encoding %6F or the actual character o), followed by the letter r (either with URL encoding %72 or the actual character r), and finally, the letter O (either with URL encoding %4F or the actual character O). This pattern is used to insert malicious SQL code into a query and evade input validation, allowing the attacker to execute their malicious code. Therefore, the detection of this regular expression in web application logs is a strong indication of a possible SQL injection attack, and security analysts can use it to identify and prevent such attacks.

p.445: This signature looks for the string that begins with constant alphanumeric value, followed by a single quote, then followed by the word "or." For example, 1'or2>1--In the above signature: \w*: Looks for zero or more alphanumeric or underscore characters (\%27)|\': Looks for the single-quote or its hex equivalent (\%6F)|o|(\%4F))((\%72)|r|(\%52): Looks for the word "or" with various combinations of its upper and lower case hex equivalents

Sql Injection Attempt, Module 4 Page 444