.

Brief anatomy of a SQL Injection

<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Fri Feb 26, 2010 9:21 am

Brief anatomy of a SQL Injection

I found a quick write-up on SQL injections, http://threatpost.com/en_us/blogs/anato ... ack-022510, and the more detailed article, http://www.communities.hp.com/securitys ... -oops.aspx.

Basically, in this write up, someone found a database throwing raw database errors back to the client.  Next, he tested the website for SQL injections by using '1=1', which is a true statement in SQL world and will not generate any errors.  They also found the site was serving a trojan.  JOY!

I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web.  At the very least trap database errors and not return it to the client.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Fri Feb 26, 2010 10:05 am

Re: Brief anatomy of a SQL Injection

Lol wow, funny story! I also can't believe that people still don't properly filter user input. Any decent book about web development warns you about the dangers of SQL injections. It requires little effort to fix SQL injections bugs.

Looks like most SQL injection exploits rely on information leakage. Well, SQL injection would still be possible of course, but less obvious. Also, lots of developers aren't aware of the fact, that it possibly leads to server compromise.

ZF
ZF
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Feb 26, 2010 10:27 am

Re: Brief anatomy of a SQL Injection

Wow that's a classic.
~~~~~~~~~~~~~~
Ketchup
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Fri Feb 26, 2010 10:46 am

Re: Brief anatomy of a SQL Injection

Oh, this would be worth mentioning, Little Bobby Tables.

http://xkcd.com/327/
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Feb 27, 2010 12:03 pm

Re: Brief anatomy of a SQL Injection

I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web.  At the very least trap database errors and not return it to the client.


I also can't believe that people still don't properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.


My experience may be limited, but I've found the people doing the db side usually aren't the guys doing the web side.

I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.
OSWP, Sec+
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Sat Feb 27, 2010 12:50 pm

Re: Brief anatomy of a SQL Injection

chrisj wrote:
I never understood why anyone would not, at a minimum sanitize their inputs or require the use of stored procedures for anything coming off the web.  At the very least trap database errors and not return it to the client.


I also can't believe that people still don't properly filter user input. Any decent book about web development warns you about the dangers of SQL injections.


My experience may be limited, but I've found the people doing the db side usually aren't the guys doing the web side.

I seen one where the person was both, but self taught, and it had to be done quickly, so not every well self taught. He had the whole user table with passwords in clear text in the application.


That may be, but in my opinion everyone that codes a database application should be aware of how the database works. You don't have to be a database guru to understand the dangers.

The database guys should at least set the right permissions, so that the average user can only retrieve data with SELECT statements and such. Preferably using stored procedures.

Even if you don't deal with the database, filtering all input is good practice. No one likes the possibility of other attacks, like XSS for example.
ZF
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Feb 27, 2010 5:23 pm

Re: Brief anatomy of a SQL Injection

I think that one of the issues is that there are a lot "old hats" running software development shops.  There once was a time when security wasn't a concern.  When only the rich and Universities had access to the Internet.  That time wasn't long ago.    I think that times are changing, slowly but surely.
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Mar 04, 2010 9:10 am

Re: Brief anatomy of a SQL Injection

Some of my thoughts on this are the same as Ketchup's. There are still quite a few programmers around from an older generation where security was not what it is now. People nowadays get already taught at the very beginning of possible threats and how to avoid them, securing things, validating inputs etc. Also not all companies, especially the smaller ones, have the money to keep their employees updated through courses and classes.
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Thu Mar 04, 2010 9:35 am

Re: Brief anatomy of a SQL Injection

I didn't think of it that way. Ketchup and awesec, you two have good points. But I always thought it was kind of important in the IT field to keep learning and stay up to date. But yea, that costs money and time.
ZF
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Thu Mar 04, 2010 4:24 pm

Re: Brief anatomy of a SQL Injection

Well part of this is also that when teaching people to program in schools, schools haven't historically focused on things like input validation etc.  Whether it is XSS, SQL Injection, or a number of other attacks, input validation is always secondary to functionality.  It's more important than just preventing SQL Injection and XSS, as those are talked about quite a bit, but poor input validation also leads to poor data integrity.  In most cases, there should be two levels of integrity checking, one enforced at the database layer and one enforced through the application layer and allowing for user feedback and correction. 

I wish they taught more of this in school, as I think most people who learn this stuff now on the job or the hard way.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software