Secure Coding mailing list archives
Lateral SQL injection paper
From: ken at krvw.com (Kenneth Van Wyk)
Date: Mon, 28 Apr 2008 15:13:27 -0400
Greetings SC-Lers, Things have been pretty quiet here on the SC-L list... I hope everyone saw David Litchfield's recent announcement of a new category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) He refers to this new category as "lateral SQL injection" attacks. It's very different than conventional SQL injection attacks, as well as quite a bit more limited. In the paper, he writes: "Now, whether this becomes "exploitable" in the "normal" sense, I doubt it... but in very specific and limited scenarios there may be scope for abuse, for example in cursor snarfing attacks - http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf . In conclusion, even those functions and procedures that don?t take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and don?t let this type of vulnerability get into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper has proved, they are. " It's definitely an interesting read, and anyone doing SQL coding should take a close look, IMHO. It's particularly interesting to see how he alters the DATE and NUMBER data types so that they can hold SQL injection data. Yet another demonstration of the importance of doing good input validation -- preferably positive validation. As long as you're doing input validation, I'd think there's probably no need to back through your code and audit it for lateral SQL injection vectors. Anyone else have a take on this new attack method? (Note that I don't normally encourage discussions of specific product vulnerabilities here, but most certainly new categories of attacks--and their impacts on secure coding practices--are quite welcome.) Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3240 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20080428/6e98d087/attachment.bin
Current thread:
- Lateral SQL injection paper Kenneth Van Wyk (Apr 28)
- Lateral SQL injection paper Jim Manico (Apr 28)
- Lateral SQL injection paper Joe Teff (Apr 29)
- Lateral SQL injection paper Steven M. Christey (Apr 29)
- Lateral SQL injection paper Arian J. Evans (Apr 29)
- Lateral SQL injection paper Mary and Glenn Everhart (Apr 29)
- Lateral SQL injection paper Joe Teff (Apr 29)
- Lateral SQL injection paper Jim Manico (Apr 28)