SQL Injection!

  • Chris Hedgate

    One Orange Chip

    Points: 25041

  • David.Poole

    SSC Guru

    Points: 75365

    I think this also illustrates why DBA's need to included in development and why code must be vetted by someone competent to do so.

    If you are going to use the command object then you can go one better and wrap it all up in a DLL.

    In addition to the SQL Injection attack protection you are running compiled code.

    I have seen cases where tweaking IIS caused ASP to start spewing out either hacker friendly error messages or in one case ASP source code complete with connection strings.

  • K. Brian Kelley

    SSC Guru

    Points: 114485

    Don't forget about the Open Web Application Security Project has another great source:

    http://www.owasp.org/

     

    K. Brian Kelley
    @kbriankelley

  • DCPeterson

    SSCoach

    Points: 15150

    Good information, thank you Chris. 

    As a DBA SQL Injection is one of my big concerns.  My biggest problem usually lies in getting our developers to appreciate that it's a real problem that they need to be constantly aware of.

    By limiting (eliminating) all direct grants at the table level and forcing all access through stored procedures, we can go quite a long way to safeguard our data.  As Chris points out, stored procs, by themselves, don't eliminate the threat, but if all access is controlled through them, an attacker will not be able to do, or see, anything in the database that isn't specifically allowed anyway.

    /*****************

    If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek

    *****************/

  • K. Brian Kelley

    SSC Guru

    Points: 114485

    Well... with cross-database ownership chaining, there is still quite a bit of recon an intruder can do. Hence the reason to use Command objects or the equivalent thereof as well as stringent input validation.

     

    K. Brian Kelley
    @kbriankelley

  • DCPeterson

    SSCoach

    Points: 15150

    True enough, but as a rule we don't allow cross-database ownership chaining.  That, combined with locking down master as much as possible helps mitigate that threat.

    I was not implying that forcing the use of sp's eliminates the risk, but as a DBA I'm not willing to just leave it all in the developer's hands either...  The problem should be attacked at both ends.

    /*****************

    If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek

    *****************/

  • Ɖiamond ǤeezeƦ

    SSC Eights!

    Points: 905

    Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.

    We also have a library which all user-input is passed through and casted to the correct data type. All developers are obliged to use this library.

    Keith

  • Ɖiamond ǤeezeƦ

    SSC Eights!

    Points: 905

    Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.

    We also have a library which all user-input is passed through and casted to the correct data type. All developers are obliged to use this library.

    Keith

  • Ɖiamond ǤeezeƦ

    SSC Eights!

    Points: 905

    Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.

    We also have a library which all end-user input is passed through and casted to the correct data type. All developers are obliged to use this library.

    Sorry about the multiple posts - I kept on getting an error message each time I posted saying there was a problem casting from DBNull to a string - didn't realise that the post was succeeding each time.

    Keith

  • K. Brian Kelley

    SSC Guru

    Points: 114485

    If you really lock down master, then true, you've mitigated most of the rest. Most folks don't think to do this, unfortunately.

     

    K. Brian Kelley
    @kbriankelley

  • K. Brian Kelley

    SSC Guru

    Points: 114485

    If you really lock down master, then true, you've mitigated most of the rest. Most folks don't think to do this, unfortunately.

     

    K. Brian Kelley
    @kbriankelley

  • davidsalazar01

    SSCarpal Tunnel

    Points: 4072

    Chris,

    Excellent article!!!  After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques.  We are looking in depth to other exploitations of SQL injections with our app.

    Thanks,

    Dave S.

  • davidsalazar01

    SSCarpal Tunnel

    Points: 4072

    Chris,

    Excellent article!!!  After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques.  We are looking in depth to other exploitations of SQL injections with our app.

    Thanks,

    Dave S.

  • davidsalazar01

    SSCarpal Tunnel

    Points: 4072

    Chris,

    Excellent article!!!  After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques.  We are looking in depth to other exploitations of SQL injections with our app.

    Thanks,

    Dave S.

  • davidsalazar01

    SSCarpal Tunnel

    Points: 4072

    Chris,

    Excellent article!!!  After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques.  We are looking in depth to other exploitations of SQL injections with our app.

    Thanks,

    Dave S.

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic. Login to reply