SQL Injection Destructive DDL Statement

Detects SQL injection payloads that attempt destructive DDL operations: DROP TABLE, TRUNCATE TABLE, or unbounded DELETE FROM statements embedded in agent tool arguments. These attacks exploit agents that pass user input directly to database query tools, causing irreversible data destruction. The canonical form uses string-termination ( ' or " followed by ; ) to escape a parameterized context and inject a secondary statement.

Response Actions

References

1. 01

   SQL injection: quote-termination followed by destructive DDL

   field: tool_argsop: regex
2. 02

   DROP TABLE with comment suppressor

   field: tool_argsop: regex
3. 03

   Destructive DDL injection in user input

   field: user_inputop: regex

Attack Examples (Rule Triggers)

Real-world attack payloads (sanitized). Used for regression testing.

Benign Examples (Rule Doesn't Trigger)

1. Normal migration action

2. Educational SQL question without injection pattern

3. Normal parameterized-style SELECT

Known False Positive Contexts

• ▸Database administrator agents with explicitly granted DDL permissions
• ▸Schema migration agents running authorized DROP/TRUNCATE operations

title: SQL Injection Destructive DDL Statement
id: ATR-2026-01601
rule_version: 1
status: experimental
description: |
  Detects SQL injection payloads that attempt destructive DDL operations:
  DROP TABLE, TRUNCATE TABLE, or unbounded DELETE FROM statements embedded
  in agent tool arguments. These attacks exploit agents that pass user input
  directly to database query tools, causing irreversible data destruction.
  The canonical form uses string-termination ( ' or " followed by ; ) to
  escape a parameterized context and inject a secondary statement.
author: ATR Community
date: 2026/06/12
schema_version: "0.1"
detection_tier: pattern
maturity: stable
severity: critical
references:
  owasp_llm:
    - "LLM02:2025 - Sensitive Information Disclosure"
  owasp_agentic:
    - "ASI03:2026 - Identity and Privilege Abuse"
  mitre_atlas:
    - "AML.T0043 - Craft Adversarial Data"
  mitre_attack:
    - "T1485 - Data Destruction"
compliance:
  owasp_llm:
    - id: "LLM02:2025"
      context: "Destructive DDL injection causes permanent data loss and denial of service to legitimate users."
      strength: primary
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: "Runtime detection of destructive SQL injection contributes to MEASURE 2.7 security and resilience evaluation."
      strength: primary
  eu_ai_act:
    - article: "15"
      context: "Article 15 robustness requirements include resistance to adversarial inputs that cause data destruction."
      strength: primary
  iso_42001:
    - clause: "8.1"
      context: "Operational controls under Clause 8.1 must block agent SQL inputs containing destructive DDL (DROP / TRUNCATE / ALTER); such statements must never be reachable from untrusted tool arguments."
      strength: primary
    - clause: "6.2"
      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) requires risk treatment of known attack patterns; detecting destructive-DDL injection that causes permanent data loss and denial of service is such a treatment."
      strength: secondary
tags:
  category: privilege-escalation
  subcategory: sql-injection
  scan_target: tool_args
  confidence: high
  # Security-education / pentest SKILL.md files list raw SQLi payloads
  # (`'; DROP TABLE users; --`, `' OR '1'='1`) inside ```...``` fenced blocks as
  # test vectors to run against an app. Those fenced cheat-sheets are
  # documentation, not a live tool call. The shape is otherwise identical to a
  # real injection, so suppression by code-fence is the only way to separate
  # them. Own true-positives are bare JSON/tool-arg strings (not fenced), so
  # suppression never affects own-TP matching.
  suppress_in_code_blocks: true
agent_source:
  type: tool_call
  framework:
    - any
  provider:
    - any
detection:
  conditions:
    - field: tool_args
      operator: regex
      value: "(?i)(?:';|\"\\s*;|--\\s*)\\s*(?:DROP\\s+(?:TABLE|DATABASE|INDEX|VIEW)|TRUNCATE\\s+(?:TABLE\\s+)?\\w|DELETE\\s+FROM\\s+\\w)"
      description: "SQL injection: quote-termination followed by destructive DDL"
    - field: tool_args
      operator: regex
      value: "(?i)\\bDROP\\s+TABLE\\s+\\w+\\s*;?\\s*--"
      description: "DROP TABLE with comment suppressor"
    - field: user_input
      operator: regex
      value: "(?i)(?:';|\"\\s*;)\\s*(?:DROP\\s+TABLE|TRUNCATE|DELETE\\s+FROM\\s+\\w)"
      description: "Destructive DDL injection in user input"
  condition: any
  false_positives:
    - "Database administrator agents with explicitly granted DDL permissions"
    - "Schema migration agents running authorized DROP/TRUNCATE operations"
response:
  actions:
    - block_tool
    - alert
    - escalate
    - snapshot
  auto_response_threshold: critical
  message_template: |
    [ATR-2026-01601] Destructive SQL injection detected. Tool argument
    contains DROP TABLE / TRUNCATE / DELETE injection pattern. Tool call blocked.
confidence: 92
test_cases:
  true_positives:
    - tool_args: "{\"name\": \"product'; DROP TABLE products; --\"}"
      expected: triggered
      description: "Classic DROP TABLE injection (probe: sql-injection-destructive)"
    - tool_args: "{\"query\": \"SELECT name FROM users WHERE id = ''; DROP TABLE users; --\"}"
      expected: triggered
      description: "SELECT followed by DROP via stacked query"
    - tool_args: "{\"filter\": \"x'; TRUNCATE TABLE orders; --\"}"
      expected: triggered
      description: "TRUNCATE TABLE injection"
    - user_input: "Find products with name = \"'; DROP TABLE products; --\""
      expected: triggered
      description: "Destructive DDL in user-facing search input"
  true_negatives:
    - tool_args: '{"action": "migrate", "direction": "up"}'
      expected: not_triggered
      description: "Normal migration action"
    - user_input: "How do I drop a table in PostgreSQL?"
      expected: not_triggered
      description: "Educational SQL question without injection pattern"
    - tool_args: "{\"sql\": \"SELECT * FROM products WHERE category = 'electronics'\"}"
      expected: not_triggered
      description: "Normal parameterized-style SELECT"