Brief anatomy of a SQL Injection

This topic has 9 replies, 6 voices, and was last updated 10 years, 10 months ago by apollo.

Viewing 9 reply threads

Author

Posts
- February 26, 2010 at 2:21 pm #4718
  
  unsupported
  Participant
  
  I found a quick write-up on SQL injections, http://threatpost.com/en_us/blogs/anatomy-sql-injection-attack-022510, and the more detailed article, http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2010/02/25/a-big-case-of-oops.aspx.
  
  Basically, in this write up, someone found a database throwing raw database errors back to the client. Next, he tested the website for SQL injections by using ‘1=1’, which is a true statement in SQL world and will not generate any errors. They also found the site was serving a trojan. JOY!
  
  I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web. At the very least trap database errors and not return it to the client.
- February 26, 2010 at 3:05 pm #29407
  
  zeroflaw
  Participant
  
  Lol wow, funny story! I also can’t believe that people still don’t properly filter user input. Any decent book about web development warns you about the dangers of SQL injections. It requires little effort to fix SQL injections bugs.
  
  Looks like most SQL injection exploits rely on information leakage. Well, SQL injection would still be possible of course, but less obvious. Also, lots of developers aren’t aware of the fact, that it possibly leads to server compromise.
  
  ZF
- February 26, 2010 at 3:27 pm #29408
  
  Ketchup
  Participant
  
  Wow that’s a classic.
- February 26, 2010 at 3:46 pm #29409
  
  unsupported
  Participant
  
  Oh, this would be worth mentioning, Little Bobby Tables.
  
  http://xkcd.com/327/
- February 27, 2010 at 5:03 pm #29410
  
  rattis
  Participant
  
  I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web. At the very least trap database errors and not return it to the client.
  
  I also can’t believe that people still don’t properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.
  
  My experience may be limited, but I’ve found the people doing the db side usually aren’t the guys doing the web side.
  
  I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.
- February 27, 2010 at 5:50 pm #29411
  
  zeroflaw
  Participant
  
  @chrisj wrote:
  
  I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web. At the very least trap database errors and not return it to the client.
  
  I also can’t believe that people still don’t properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.
  
  My experience may be limited, but I’ve found the people doing the db side usually aren’t the guys doing the web side.
  
  I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.
  
  That may be, but in my opinion everyone that codes a database application should be aware of how the database works. You don’t have to be a database guru to understand the dangers.
  
  The database guys should at least set the right permissions, so that the average user can only retrieve data with SELECT statements and such. Preferably using stored procedures.
  
  Even if you don’t deal with the database, filtering all input is good practice. No one likes the possibility of other attacks, like XSS for example.
- February 27, 2010 at 10:23 pm #29412
  
  Ketchup
  Participant
  
  I think that one of the issues is that there are a lot “old hats” running software development shops. There once was a time when security wasn’t a concern. When only the rich and Universities had access to the Internet. That time wasn’t long ago. I think that times are changing, slowly but surely.
- March 4, 2010 at 2:10 pm #29413
  
  UNIX
  Participant
  
  Some of my thoughts on this are the same as Ketchup’s. There are still quite a few programmers around from an older generation where security was not what it is now. People nowadays get already taught at the very beginning of possible threats and how to avoid them, securing things, validating inputs etc. Also not all companies, especially the smaller ones, have the money to keep their employees updated through courses and classes.
- March 4, 2010 at 2:35 pm #29414
  
  zeroflaw
  Participant
  
  I didn’t think of it that way. Ketchup and awesec, you two have good points. But I always thought it was kind of important in the IT field to keep learning and stay up to date. But yea, that costs money and time.
- March 4, 2010 at 9:24 pm #29415
  
  apollo
  Participant
  
  Well part of this is also that when teaching people to program in schools, schools haven’t historically focused on things like input validation etc. Whether it is XSS, SQL Injection, or a number of other attacks, input validation is always secondary to functionality. It’s more important than just preventing SQL Injection and XSS, as those are talked about quite a bit, but poor input validation also leads to poor data integrity. In most cases, there should be two levels of integrity checking, one enforced at the database layer and one enforced through the application layer and allowing for user feedback and correction.
  
  I wish they taught more of this in school, as I think most people who learn this stuff now on the job or the hard way.
Author

Posts