January 3, 2018 at 8:05 am
The bottom line for all of the recommendations is that although you can easily find all of the places where dynamic SQL has been used, it's going to take a human to figure out if the dynamic SQL is susceptible to an injection or other attack because there are a ton of different methods to make a mistake when using dynamic SQL including concatenation and simple "token replacement" of variables and strings from tables and there are many ways of doing either of those. I don't know of anything written that would certainly and correctly identify and report all of the different possibilities.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 3, 2018 at 8:15 am
HappyGeek - Wednesday, January 3, 2018 7:34 AMjuniorDBA13 - Wednesday, January 3, 2018 7:05 AMI understand all of this.My questions was how to identify if you are currently vulnerable to attacks and how to find the queries, stored procedures etc that might be causing the problem
Information_schema.routines view can be queried to give you definitions for procedures and functions but not UDF's. Look this up if you are not sure.
UDFs are not open to SQL injection. Either way, they're all stored in sys.sql_modules.
January 3, 2018 at 8:53 am
juniorDBA13 - Wednesday, January 3, 2018 7:05 AMI understand all of this.My questions was how to identify if you are currently vulnerable to attacks and how to find the queries, stored procedures etc that might be causing the problem
You can monitor your server using Extended Events to capture the queries, both rpc_completed and sql_batch_completed. You can pretty quickly begin to assess if the queries coming in are likely to be problematic (and if it's dynamic T-SQL without parameters, it is problematic, period).
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
January 3, 2018 at 10:49 am
grant@scarydba.com - Wednesday, January 3, 2018 8:53 AMjuniorDBA13 - Wednesday, January 3, 2018 7:05 AMI understand all of this.My questions was how to identify if you are currently vulnerable to attacks and how to find the queries, stored procedures etc that might be causing the problem
You can monitor your server using Extended Events to capture the queries, both rpc_completed and sql_batch_completed. You can pretty quickly begin to assess if the queries coming in are likely to be problematic (and if it's dynamic T-SQL without parameters, it is problematic, period).
How do you distinguish what's dynamic SQL v.s. non-dynamic SQL using Extended Events?
--Jeff Moden
Change is inevitable... Change for the better is not.
January 3, 2018 at 11:21 am
sp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( one
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 3, 2018 at 11:47 am
GilaMonster - Wednesday, January 3, 2018 11:21 AMsp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( one
That would work for SQL generated on the SQL server, but isn't going to help with dynamic SQL generated on an application. From experience, I've found applications are far worse for it, it seems that (some) application/web developers don't even consider; and then as a DBA you see the application code and have a melt down. :'(
Unfortunately, I can't really think of a way you could capture dynamically generated SQL from an application. It is, one of the reasons why I prefer only letting an application use SPs; as then it can't even try to use dynamically generated SQL.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
January 3, 2018 at 12:07 pm
Thom A - Wednesday, January 3, 2018 11:47 AMGilaMonster - Wednesday, January 3, 2018 11:21 AMsp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( oneThat would work for SQL generated on the SQL server, but isn't going to help with dynamic SQL generated on an application. From experience, I've found applications are far worse for it, it seems that (some) application/web developers don't even consider; and then as a DBA you see the application code and have a melt down. :'(
Unfortunately, I can't really think of a way you could capture dynamically generated SQL from an application. It is, one of the reasons why I prefer only letting an application use SPs; as then it can't even try to use dynamically generated SQL.
No. That will likely come through from the app as a sql_batch_completed event (parameterised stuff tends to show up as rpc_completed with a call to sp_executesql, at lease ORMs show up that way), so you should pay attention specifically to that event when it's not from SSMS.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 3, 2018 at 12:26 pm
GilaMonster - Wednesday, January 3, 2018 11:21 AMsp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( one
Ah... ok. So it uses the same method as doing a code search. Wouldn't it just be easier to review the code so that you don't have to filter through all of the duplication that such a method will generate? Also, that will only capture the code that's currently being used. It may not capture code that's not frequently used.
And, yeah... I agree... no matter what, a secondary filter is absolutely necessary. Hopefully such a filter isn't the same human that wrote the code to begin with.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 3, 2018 at 12:33 pm
All those options are nice, but you still need to check for the front end code. Back when I started coding, we used to concatenate sql strings on the front end and would appear as ad-hoc calls in the database.
I know that there are some tools that help to identify vulnerabilities, but I don't use any of them and can't recommend them.
January 3, 2018 at 1:31 pm
Jeff Moden - Wednesday, January 3, 2018 10:49 AMgrant@scarydba.com - Wednesday, January 3, 2018 8:53 AMjuniorDBA13 - Wednesday, January 3, 2018 7:05 AMI understand all of this.My questions was how to identify if you are currently vulnerable to attacks and how to find the queries, stored procedures etc that might be causing the problem
You can monitor your server using Extended Events to capture the queries, both rpc_completed and sql_batch_completed. You can pretty quickly begin to assess if the queries coming in are likely to be problematic (and if it's dynamic T-SQL without parameters, it is problematic, period).
How do you distinguish what's dynamic SQL v.s. non-dynamic SQL using Extended Events?
What Gail said. Like I said, assess. ExEvents doesn't do it for you, unfortunately.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
January 3, 2018 at 3:12 pm
GilaMonster - Wednesday, January 3, 2018 12:07 PMThom A - Wednesday, January 3, 2018 11:47 AMGilaMonster - Wednesday, January 3, 2018 11:21 AMsp_statement_completed & sql_statement_completed and look for sp_executesql or EXEC with brackets.
Or the entire batch with sql_batch_completed and RPC completed. Eitherway, a second filter is necessary, and probably better to do it after capturing, especially for the EXEC( oneThat would work for SQL generated on the SQL server, but isn't going to help with dynamic SQL generated on an application. From experience, I've found applications are far worse for it, it seems that (some) application/web developers don't even consider; and then as a DBA you see the application code and have a melt down. :'(
Unfortunately, I can't really think of a way you could capture dynamically generated SQL from an application. It is, one of the reasons why I prefer only letting an application use SPs; as then it can't even try to use dynamically generated SQL.
No. That will likely come through from the app as a sql_batch_completed event (parameterised stuff tends to show up as rpc_completed with a call to sp_executesql, at lease ORMs show up that way), so you should pay attention specifically to that event when it's not from SSMS.
Ah... now I'm baggin' what you're rakin'. It's a way to check the front end code from SQL Server.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 11 posts - 16 through 25 (of 25 total)
You must be logged in to reply to this topic. Login to reply