RE: aspx applictions SQL Injection

["Anil John" <Editor () SecureCoder com>]

Ahmed,

Your instincts would be absolutely correct... Converting to .NET or any
other does not mitigate SQL Injection attacks by default.

SQL Injection attacks occur in when:
1) When the application (ASP.NET, Classic ASP, JSP, PHP, JSP....) use input
to construct dynamic SQL Statements to Access the DB
2) If the code uses stored procs that are passed strings which contain
unfiltered user input.

This issue becomes exponentially worse if the account that is used to
connect to the DB is an over privileged account.

The basic countermeasures to SQL Injection attacks in .NET (or in any other
platform/language) are
1) Constrain the input
2) Use type safe SQL Parameters.

(1) follows the basic premise of "All input is evil until validated to be
otherwise" and (2) is based on using the Parameters collection in SQL which
provides type checking and length validation. Basically if you use the
Parameters collection, input is treated as a literal value and not as
executable code.   You will also want to call stored procedures with the
Parameters collection.

In short, .NET does provide ways to code against SQL injection BUT you
actually have to make a conscious decision to do so. If they are still
building dynamic SQL and passing it to the ADO. NET providers in .NET, they
are not safe in any way shape or form.

You may want to take a look at the free Hacme bank example that Foundstone
put out recently.. It is an insecure application built using the .NET
platform which can be used to demo a SQL Injection attack among others..
http://cyberforge.com/weblog/aniltj/archive/2004/09/09/648.aspx

Regards,

- Anil
--------------------------------------------------------------
-- http://SecureCoder.com
-- Architecture & Security in an Imperfect World 
-------------------------------------------------------------- 

 

-----Original Message-----
From: Mohamed Ali [mailto:rxmohamed () hotmail com] 
Sent: Tuesday, October 12, 2004 4:23 AM
To: webappsec () securityfocus com
Subject: aspx applictions SQL Injection

Hi all,

I did a full pen-test on my client's web application and almost I can get
all data and data dictionary information I need through exploiting SQL
injection vulnerabilities they have in many dynamic pages.

The question is when I discussed these issues with IT people  they recommend

not to solve any of them but just converting to   .Net technology I'm not 
familiar with Net tech. but this recommendation  sounds weird to me IS THERE
ANY WAY TO PROVE THAT THEIR RECOMMENDATION IS NOT ENOUGH TO PREVERT
UNAUTHRIZED ACCESS THROUGH SQL INJECTION (their platform  IIS ,SQL Server
and Oracle )


Any suggestions would be appreciated.

Thanks



Ahmed Rashad
IT Audit Manger
Experts.ae

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search! 
http://search.msn.com/