WebApp Sec mailing list archives
RE: Strange beaviour in sql injection
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Wed, 30 Oct 2002 06:23:50 -0500
Seems like the flaw is in checking if a value is numeric? I recommend regular expressions and other forms of allow filtering for this kind of thing, i.e. ^[0-9]+$ as a basic filter that will allow only sequences of digits. For more protection, I usually like to see them a little more detailed, for example, you may know that your ID values are always going to be 10 decimal digits or less, so you could try: ^[0-9]{1,10}$ Some people try to perform deny filtering or stripping out of "known bad" characters. This is bad (that's a technical term) and will often leave you exposed, though it may raise the bar a bit. Even if you are using stored procs, command objects, prepared statements, etc. I still recommend performing input validation because you need defense in depth. Switching everything over to stored procs, without input validation, is a single layer of defense. I prefer to see parameter filtering and stored procs in the app source, permission changes in the database such that the app user can only access the app stored procs, permission changes in the OS such that the database user is not privileged, and if possible network permissions that prevent outbound "connections" (including stateful UDP) from the database. Naturally, you should also follow standard lockdown procedures for webserver, db server, and server OS's. I could go on, point being "standard dogma" has never been "double up your single-quotes and see if the first character is numeric (or however they're doing it)". There's a lot of layers that can be put in place to offer better protection. In particular, simply switching to stored procs is not a guarantee of security because it is quite possible for the stored procedure to be vulnerable to SQL injection. See Chris Anley's "More Advanced SQL Injection" page 10-11 for details and an example of SQL injection in one of the MS-supplied stored procedures in SQL Server. By performing parameter filtering and restricting the permissions of the user in the database, you can significantly reduce the risk that such a vulnerable stored procedure in your application can be exploited. Phil
-----Original Message----- From: Securityinfos [mailto:admin () securityinfos com] Sent: Tuesday, October 29, 2002 4:32 AM To: webappsec () securityfocus com Subject: Strange beaviour in sql injection Conducting a pentest on a web application i discovered something strange.. the web application corretcly replaces single quote (') with double quote ('') correctly checked if the value isnumeric but inserting in the query url a value with , the application show error for example:
http://www.webapplication.com/show.asp?id=1,1 show the error So, can we desume that the previous dogmas for securing a web application replacing quotes and checking if a value is numeric are not enough? I'd like to know also what Kevin Spett thinks.. thanks.. Antonio Stano Securityinfos http://www.securityinfos.com
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)