Re: SQL Injection Legalities

[Pete Finnigan <pete () peterfinnigan demon co uk>]

Hi Glen

I am currently writing the SANS Step-by-step guide to securing Oracle
which aims to all possible settings and actions that can be taken on on
Oracle database, application server et al to secure it. 

I cover use of various settings in the profile that can be set per user/
per profile to stop this, cpu_per_session for instance.

A large number of Oracle DBA's and security professionals have been
reviewing the guide and a number of people are bench testing it now. It
should be available soon and I hope useful to anyone securing an Oracle
database.

kind regards

Pete Finnigan

-- 
pete () peterfinnigan demon co uk
pete.finnigan () pentest-limited com

http://www.pentest-limited.com/oracle-security.htm - "Exploiting and
protecting Oracle"

http://online.securityfocus.com/infocus/1522 - "A simple Oracle Security
Scanner"

http://www.pentest-limited.com/default-user.htm - "Oracle Default User
and Password List"

http://www.pentest-limited.com/utl_file.htm - "Extracting Clear Text
Passwords from the SGA"


In message <1712C308DB2ED311821F009027468B78B79E9E () primailserver we-
inc.com>, Wolf, Glenn <glenn.wolf () we-inc com> writes
> This was being discussed as a legal issue in pen-test, but I was curious if
> anyone else has thought of using SQL Injection to cause a DoS.
>
> The search box could be used to extend the SQL query to include something
> like this:
>
> SELECT product_id, product_name
> FROM   product
> WHERE  product_name like '%bicycle%'''
> OR      product_name in (SELECT product_name
>                        FROM   product AS p1,
>                               product AS p2,
>                               product AS p3,
>                               product AS p4)
> OR     product_name = ''
>
> where everything after the first OR is the SQL Injection.  The second OR is
> only to maintain a valid SQL statement (assuming the final character in the
> query will be a single quote).
>
> The DoS is in the inner query, and caused by the cartesian product (joining
> all tables in every possible combination) generated by the query.  If the
> PRODUCT table only has 1,000 rows, the inner query will generate
> 1,000x1,000x1,000x1,000 rows, or 1 trillion rows.  A larger product table or
> more aliased references to it would generate an even larger result set.
>
> This will most likely cause the database to a) Use up all available CPU
> resources, b) Use disk resources in temp space and swapping.
>
> In a web environment, even with many front-end load-balancing web servers,
> there is typically only one database.  DoS-ing the database effectively
> DoS's all web users utilizing any kind of database function (search,
> ordering, etc.).
>
> As an Oracle DBA, I've seen this scenario caused by developers accidentally
> forgetting a join, and I've also seen LARGE production websites go down
> simply because there is too much load on the back-end database.
>
> As far as mitigation goes, there are parameters that can be set at a user-
> or profile-level to lower the execution priority of certain queries, or to
> limit query run-time, but in most cases, these are not set.
>
> Glenn
>
>
> -----Original Message-----
> From: Quickfinger [mailto:junk () quickfinger com]
> Sent: Wednesday, July 17, 2002 4:12 PM
> To: Deus, Attonbitus
> Cc: Pen-Test
> Subject: Re: SQL Injection Legalities
>
>
> I am not a lawyer, but I do remember reading an article that used a
> very similar example.  I believe this is illegal in California and I
> would not be surprised to hear that it's illegal in Oregon.  Most
> likely this depends on the state, probably the state in which the
> server resides.
>
> I too am interested in hearing from a lawyer if there is on one this
> list.
>
> D. Joe Royer II, CCNA, CISSP
>
> On Wed, 17 Jul 2002, Deus, Attonbitus wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > I hesitate asking the group about law, but here goes:
> >
> > Lets say a site gives you the capability to search their product-base via
> a
> > web input box.  You know, the standard search/submit deal.
> >
> > You type in "bicycle" and it gives you everything that starts with
> > "bicycle."  Simple enough.  As we all know, web app susceptibility to SQL
> > injects runs amok; lets say in this case that instead of typing "bicycle,"
> > I type "bicycle' or 1=1--" and get all the products.  Have I broken the
> > law?  More specifically, have I broken the law in the US?
> >
> > One could argue that the site is allowing me to specify what I want to
> see,
> > and all I am doing is typing in what I want...  Though the developer may
> > not have intended for me to pull up the data like that, does my doing so
> > constitute a crime?
> >
> > I'm not looking for ethical or moral debate here, I am hoping someone has
> > some distinct legal experience who knows.  Thanks.
> >
> > AD