WebApp Sec mailing list archives
RE: Strange beaviour in sql injection
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Wed, 30 Oct 2002 06:23:50 -0500
Seems like the flaw is in checking if a value is numeric? I recommend
regular expressions and other forms of allow filtering for this kind of
thing, i.e.
^[0-9]+$
as a basic filter that will allow only sequences of digits. For more
protection, I usually like to see them a little more detailed, for
example, you may know that your ID values are always going to be 10
decimal digits or less, so you could try:
^[0-9]{1,10}$
Some people try to perform deny filtering or stripping out of "known
bad" characters. This is bad (that's a technical term) and will often
leave you exposed, though it may raise the bar a bit.
Even if you are using stored procs, command objects, prepared
statements, etc. I still recommend performing input validation because
you need defense in depth. Switching everything over to stored procs,
without input validation, is a single layer of defense. I prefer to see
parameter filtering and stored procs in the app source, permission
changes in the database such that the app user can only access the app
stored procs, permission changes in the OS such that the database user
is not privileged, and if possible network permissions that prevent
outbound "connections" (including stateful UDP) from the database.
Naturally, you should also follow standard lockdown procedures for
webserver, db server, and server OS's. I could go on, point being
"standard dogma" has never been "double up your single-quotes and see if
the first character is numeric (or however they're doing it)". There's
a lot of layers that can be put in place to offer better protection.
In particular, simply switching to stored procs is not a guarantee of
security because it is quite possible for the stored procedure to be
vulnerable to SQL injection. See Chris Anley's "More Advanced SQL
Injection" page 10-11 for details and an example of SQL injection in one
of the MS-supplied stored procedures in SQL Server. By performing
parameter filtering and restricting the permissions of the user in the
database, you can significantly reduce the risk that such a vulnerable
stored procedure in your application can be exploited.
Phil
-----Original Message----- From: Securityinfos [mailto:admin () securityinfos com] Sent: Tuesday, October 29, 2002 4:32 AM To: webappsec () securityfocus com Subject: Strange beaviour in sql injection Conducting a pentest on a web application i discovered something strange.. the web application corretcly replaces single quote (') with double quote ('') correctly checked if the value isnumeric but inserting in the query url a value with , the application show error for example:
http://www.webapplication.com/show.asp?id=1,1 show the error So, can we desume that the previous dogmas for securing a web application replacing quotes and checking if a value is numeric are not enough? I'd like to know also what Kevin Spett thinks.. thanks.. Antonio Stano Securityinfos http://www.securityinfos.com
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)