Friday, August 27, 2004

SQL Injection

SQL Injection
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Databases are fundamental components of Web applications. Databases enable Web applications to store data, preferences and content elements. Using SQL, Web applications interact with databases to dynamically build customized data views for each user. A common example is a Web application that manages products. In one of the Web application's dynamic pages (such as ASP), users are able to enter a product identifier and view the product name and description. The request sent to the database to retrieve the product's name and description is implemented by the following SQL statement.
SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = ProductNumber
Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The string is built using server-side script languages such as ASP, JSP and CGI, and is then sent to the database server as a single SQL statement. The following example demonstrates an ASP code that generates a SQL query.
sql_query= "SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber " & Request.QueryString("ProductID")
The call Request.QueryString("ProductID") extracts the value of the Web form variable ProductID so that it can be appended as the SELECT condition.
When a user enters the following URL:
http://www.mydomain.com/products/products.asp?productid=123
The corresponding SQL query is executed:
SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber = 123
An attacker may abuse the fact that the ProductID parameter is passed to the database without sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL statements. For example, setting the value "123 OR 1=1" to the ProductID variable results in the following URL:
http://www.mydomain.com/products/products.asp?productid=123 or 1=1
The corresponding SQL Statement is:
SELECT ProductName, Product Description From Products WHERE ProductNumber = 123 OR 1=1
This condition would always be true and all ProductName and ProductDescription pairs are returned. The attacker can manipulate the application even further by inserting malicious commands. For example, an attacker can request the following URL:
http://www.mydomain.com/products/products.asp?productid=123;DROP TABLE Products
In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.
An attacker may use SQL injection to retrieve data from other tables as well. This can be done using the SQL UNION SELECT statement. The UNION SELECT statement allows the chaining of two separate SQL SELECT queries that have nothing in common. For example, consider the following SQL query:
SELECT ProductName, ProductDescription FROM Products WHERE ProductID = '123' UNION SELECT Username, Password FROM Users;
The result of this query is a table with two columns, containing the results of the first and second queries, respectively. An attacker may use this type of SQL injection by requesting the following URL:
http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT user-name, password FROM USERS
The security model used by many Web applications assumes that an SQL query is a trusted command. This enables attackers to exploit SQL queries to circumvent access controls, authentication and authorization checks. In some instances, SQL queries may allow access to host operating system level commands. This can be done using stored procedures. Stored procedures are SQL procedures usually bundled with the database server. For example, the extended stored procedure xp_cmdshell executes operating system commands in the context of a Microsoft SQL Server. Using the same example, the attacker can set the value of ProductID to be "123;EXEC master..xp_cmdshell dir--", which returns the list of files in the current directory of the SQL Server process.

Friday, August 13, 2004


Mahavir Jain Posted by Hello

What is Security? how imporatnce in todays world

Security Definition: Security means that the right information (not the wrong information) is available to the right people (not the wrong people) at the right time (not the wrong time)

Security is a mindset : Security must be considered throughout the software development life cycle, and incorporated as the system develops. Current security practices focus on securing networks and patching software, but these approaches are insufficient remedies for a number of reasons:
•85% of CERT security advisories could not have been prevented with cryptography [Schneider, 1998]
•Software patches are produced only after one or more systems have already been exploited
•System administrators sometimes are not aware that patches are available
•Software patches in themselves can introduce errors and/or further vulnerabilities
•Security is something that is proven over time through successful, repeated usage. No system is completely secure, but a system that customers can rely upon to maintain the integrity and privacy of their data





Common Problems and Exposures

•SQL Injections
•Client-side Validation Dependencies
•Buffer Overflows
•Cross Site Scripting (XSS/CSS)
•XML Injection
•Data Security


These are common problems that are seen in applications. The majority of exposures that lead to vulnerabilities are included here. Correct parameter validation and correct SQL coding practices can remove these exposures from your applications.



Buffer overflows occur in unmanaged code such as (C, C++, VB, etc.). When parameters that are used by unmanaged code are not bounds checked, it is possible to overflow the buffer that is used to store the parameter which causes a stack exception. If an attacker places byte code correctly into the buffer when causing a buffer overflow, it is possible to execute any code that the attacker desires.


If the developer asserts the minimum and maximum lengths of fields during development then it is possible to catch many buffer overflows through the quality assurance and testing phase of development.
SQL exceptions can be caused when a field that has a static length described in the database and the application tries to store more than the specified length of data to the database. Though the buffer overflow in this case causes an exception and the data isn’t actually stored in the database, since the size of the parameter was not validated then the exception occurs


Cross site scripting should not be confused with cascading style sheets. The most common acronym for cross site scripting is XSS however some have adopted CSS as easier to understand however this causes confusion often. Cross site scripting has nothing to do with cascading style sheets.
Cross site scripting is the ability for an attacker to enter HTML and/or script tags into a field on a web server which then displays the data to another client of the web server where the scripting code is executed. Anytime that an application allows user input that can be seen/downloaded by another user. That field should be tested for an exposure to an XSS attack.


Best Practices

•Validate all parameters
•Use SQL parameter lists
•Don’t trust client-side validation
•Don’t generate data on the client
•Don’t store sensitive data on the client
•Custom authentication mechanisms should hash the password