Vulnerability Development mailing list archives
Re: SQL Injection Legalities
From: Pete Finnigan <pete () peterfinnigan demon co uk>
Date: Thu, 18 Jul 2002 19:27:01 +0100
Hi Glen I am currently writing the SANS Step-by-step guide to securing Oracle which aims to all possible settings and actions that can be taken on on Oracle database, application server et al to secure it. I cover use of various settings in the profile that can be set per user/ per profile to stop this, cpu_per_session for instance. A large number of Oracle DBA's and security professionals have been reviewing the guide and a number of people are bench testing it now. It should be available soon and I hope useful to anyone securing an Oracle database. kind regards Pete Finnigan -- pete () peterfinnigan demon co uk pete.finnigan () pentest-limited com http://www.pentest-limited.com/oracle-security.htm - "Exploiting and protecting Oracle" http://online.securityfocus.com/infocus/1522 - "A simple Oracle Security Scanner" http://www.pentest-limited.com/default-user.htm - "Oracle Default User and Password List" http://www.pentest-limited.com/utl_file.htm - "Extracting Clear Text Passwords from the SGA" In message <1712C308DB2ED311821F009027468B78B79E9E () primailserver we- inc.com>, Wolf, Glenn <glenn.wolf () we-inc com> writes
This was being discussed as a legal issue in pen-test, but I was curious if anyone else has thought of using SQL Injection to cause a DoS. The search box could be used to extend the SQL query to include something like this: SELECT product_id, product_name FROM product WHERE product_name like '%bicycle%''' OR product_name in (SELECT product_name FROM product AS p1, product AS p2, product AS p3, product AS p4) OR product_name = '' where everything after the first OR is the SQL Injection. The second OR is only to maintain a valid SQL statement (assuming the final character in the query will be a single quote). The DoS is in the inner query, and caused by the cartesian product (joining all tables in every possible combination) generated by the query. If the PRODUCT table only has 1,000 rows, the inner query will generate 1,000x1,000x1,000x1,000 rows, or 1 trillion rows. A larger product table or more aliased references to it would generate an even larger result set. This will most likely cause the database to a) Use up all available CPU resources, b) Use disk resources in temp space and swapping. In a web environment, even with many front-end load-balancing web servers, there is typically only one database. DoS-ing the database effectively DoS's all web users utilizing any kind of database function (search, ordering, etc.). As an Oracle DBA, I've seen this scenario caused by developers accidentally forgetting a join, and I've also seen LARGE production websites go down simply because there is too much load on the back-end database. As far as mitigation goes, there are parameters that can be set at a user- or profile-level to lower the execution priority of certain queries, or to limit query run-time, but in most cases, these are not set. Glenn -----Original Message----- From: Quickfinger [mailto:junk () quickfinger com] Sent: Wednesday, July 17, 2002 4:12 PM To: Deus, Attonbitus Cc: Pen-Test Subject: Re: SQL Injection Legalities I am not a lawyer, but I do remember reading an article that used a very similar example. I believe this is illegal in California and I would not be surprised to hear that it's illegal in Oregon. Most likely this depends on the state, probably the state in which the server resides. I too am interested in hearing from a lawyer if there is on one this list. D. Joe Royer II, CCNA, CISSP On Wed, 17 Jul 2002, Deus, Attonbitus wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base viaaweb input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want tosee,and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD
Current thread:
- RE: SQL Injection Legalities Wolf, Glenn (Jul 18)
- Re: SQL Injection Legalities Pete Finnigan (Jul 18)