Penetration Testing mailing list archives

Re: Row-0 mitigation of SQL injection

From: Sony C <raagamuffin () yahoo com>
Date: Thu, 7 Jun 2007 05:02:18 -0700 (PDT)

Hello,

It is probably not a very good idea to build in
security through dummy rows. There may also be
implications in the app development process as some
coding around this dummy row may be required. 
A simple sql statement that will return other rows
than the 'top' one:
select * from table1 order by <column number>

where <column number> is the number of a column in the
list of columns that was returned.

Of course there are many other queries that may be
employed to retrieve different rows, some of which are
DB specific.

Regards,
Sony C.

--- Jim Halfpenny <jimsmailinglists () gmail com> wrote:

Hi,
One thing I've noticed about SQL injection is that
quite often the
injected code returns a data set and the vulnerable
application plucks
the first row from the set. Consider a simple
example where a login
form is vulnerable and the following code is
generated:

select * from users where login = '' or 'a' = 'a';

Instead of returning one row as expected the whole
table is returned
and the application more often than not reads the
first row. This hack
is especially bad if the first user in the table has
admin right,
which is often the case.

One way of potentially hobbling simple SQL injection
would be to
insert a sentinel record at the beginning of the
table (hence the
row-0 concept). This this row is ever returned the
the application can
be made aware something bad has happened.

Does this sound like a good idea, or does it
encourage poor coding by
having a safety net? All comments welcome.

Jim

------------------------------------------------------------------------

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020

------------------------------------------------------------------------




      ____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us. 
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Row-0 mitigation of SQL injection Jim Halfpenny (Jun 06)
- Re: Row-0 mitigation of SQL injection Liudvikas Jablonskas (Jun 07)
- Re: Row-0 mitigation of SQL injection Zed Qyves (Jun 07)
- Re: Row-0 mitigation of SQL injection Sony C (Jun 07)
- Re: Row-0 mitigation of SQL injection Hubert Seiwert (Jun 07)
- Re: Row-0 mitigation of SQL injection John Lampe (Jun 07)
- <Possible follow-ups>
- Re: Row-0 mitigation of SQL injection mailbox () martinelli com (Jun 06)