Brief anatomy of a SQL Injection

Viewing 9 reply threads
  • Author
    Posts
    • #4718
      unsupported
      Participant

      I found a quick write-up on SQL injections, http://threatpost.com/en_us/blogs/anatomy-sql-injection-attack-022510, and the more detailed article, http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2010/02/25/a-big-case-of-oops.aspx.

      Basically, in this write up, someone found a database throwing raw database errors back to the client.  Next, he tested the website for SQL injections by using ‘1=1’, which is a true statement in SQL world and will not generate any errors.  They also found the site was serving a trojan.  JOY!

      I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web.  At the very least trap database errors and not return it to the client.

    • #29407
      zeroflaw
      Participant

      Lol wow, funny story! I also can’t believe that people still don’t properly filter user input. Any decent book about web development warns you about the dangers of SQL injections. It requires little effort to fix SQL injections bugs.

      Looks like most SQL injection exploits rely on information leakage. Well, SQL injection would still be possible of course, but less obvious. Also, lots of developers aren’t aware of the fact, that it possibly leads to server compromise.

      ZF

    • #29408
      Ketchup
      Participant

      Wow that’s a classic.

    • #29409
      unsupported
      Participant

      Oh, this would be worth mentioning, Little Bobby Tables.

      http://xkcd.com/327/

    • #29410
      rattis
      Participant

      I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web.  At the very least trap database errors and not return it to the client.

      I also can’t believe that people still don’t properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.

      My experience may be limited, but I’ve found the people doing the db side usually aren’t the guys doing the web side.

      I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.

    • #29411
      zeroflaw
      Participant

      @chrisj wrote:

      I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web.  At the very least trap database errors and not return it to the client.

      I also can’t believe that people still don’t properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.

      My experience may be limited, but I’ve found the people doing the db side usually aren’t the guys doing the web side.

      I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.

      That may be, but in my opinion everyone that codes a database application should be aware of how the database works. You don’t have to be a database guru to understand the dangers.

      The database guys should at least set the right permissions, so that the average user can only retrieve data with SELECT statements and such. Preferably using stored procedures.

      Even if you don’t deal with the database, filtering all input is good practice. No one likes the possibility of other attacks, like XSS for example.

    • #29412
      Ketchup
      Participant

      I think that one of the issues is that there are a lot “old hats” running software development shops.  There once was a time when security wasn’t a concern.  When only the rich and Universities had access to the Internet.  That time wasn’t long ago.    I think that times are changing, slowly but surely.

    • #29413
      UNIX
      Participant

      Some of my thoughts on this are the same as Ketchup’s. There are still quite a few programmers around from an older generation where security was not what it is now. People nowadays get already taught at the very beginning of possible threats and how to avoid them, securing things, validating inputs etc. Also not all companies, especially the smaller ones, have the money to keep their employees updated through courses and classes.

    • #29414
      zeroflaw
      Participant

      I didn’t think of it that way. Ketchup and awesec, you two have good points. But I always thought it was kind of important in the IT field to keep learning and stay up to date. But yea, that costs money and time.

    • #29415
      apollo
      Participant

      Well part of this is also that when teaching people to program in schools, schools haven’t historically focused on things like input validation etc.  Whether it is XSS, SQL Injection, or a number of other attacks, input validation is always secondary to functionality.  It’s more important than just preventing SQL Injection and XSS, as those are talked about quite a bit, but poor input validation also leads to poor data integrity.  In most cases, there should be two levels of integrity checking, one enforced at the database layer and one enforced through the application layer and allowing for user feedback and correction. 

      I wish they taught more of this in school, as I think most people who learn this stuff now on the job or the hard way.

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?