Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Strange beaviour in sql injection

RE: Strange beaviour in sql injection

From: Brass, Phil (ISS Atlanta) <PBrass_at_iss.net>
Date: Wed, 30 Oct 2002 06:23:50 -0500

Seems like the flaw is in checking if a value is numeric? I recommend
regular expressions and other forms of allow filtering for this kind of
thing, i.e.
^[0-9]+$
as a basic filter that will allow only sequences of digits. For more
protection, I usually like to see them a little more detailed, for
example, you may know that your ID values are always going to be 10
decimal digits or less, so you could try:
^[0-9]{1,10}$

Some people try to perform deny filtering or stripping out of "known
bad" characters. This is bad (that's a technical term) and will often
leave you exposed, though it may raise the bar a bit.

Even if you are using stored procs, command objects, prepared
statements, etc. I still recommend performing input validation because
you need defense in depth. Switching everything over to stored procs,
without input validation, is a single layer of defense. I prefer to see
parameter filtering and stored procs in the app source, permission
changes in the database such that the app user can only access the app
stored procs, permission changes in the OS such that the database user
is not privileged, and if possible network permissions that prevent
outbound "connections" (including stateful UDP) from the database.
Naturally, you should also follow standard lockdown procedures for
webserver, db server, and server OS's. I could go on, point being
"standard dogma" has never been "double up your single-quotes and see if
the first character is numeric (or however they're doing it)". There's
a lot of layers that can be put in place to offer better protection.

In particular, simply switching to stored procs is not a guarantee of
security because it is quite possible for the stored procedure to be
vulnerable to SQL injection. See Chris Anley's "More Advanced SQL
Injection" page 10-11 for details and an example of SQL injection in one
of the MS-supplied stored procedures in SQL Server. By performing
parameter filtering and restricting the permissions of the user in the
database, you can significantly reduce the risk that such a vulnerable
stored procedure in your application can be exploited.

Phil

> -----Original Message-----
> From: Securityinfos [mailto:admin_at_securityinfos.com]
> Sent: Tuesday, October 29, 2002 4:32 AM
> To: webappsec_at_securityfocus.com
> Subject: Strange beaviour in sql injection
>
>
> Conducting a pentest on a web application i discovered
> something strange.. the web application corretcly replaces
> single quote (') with double quote
> ('')
> correctly checked if the value isnumeric
> but inserting in the query url a value with , the
> application show error
>
> for example:
>
 http://www.webapplication.com/show.asp?id=1,1
 
 show the error
 
 So, can we desume that the previous dogmas for securing a web
application replacing quotes and checking if a value is numeric are not
enough?
 
 I'd like to know also what Kevin Spett thinks..
 
 thanks..
 
 Antonio Stano
 Securityinfos
 http://www.securityinfos.com
 
 
Received on Oct 30 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos