WebApp Sec mailing list archives
RE: ISA Server and SQL Injection
From: "Marty Block" <marty () kesem net>
Date: Fri, 18 Feb 2005 09:55:55 -0500
Hey there, When you analyze the I/O of even a heinously complex system, you can identify the data entry points fairly easily and completely. Since you need only protect input data (assuming no other security issues like directories set to all public access etc...) it turns out to be a trivial task to scrub the input statement for things like "%20cmd.exe%20..." as well as 'select' or 'drop' or 'sp_' in either hex or regular char format. We've built some pretty robust inpout checking for cold fusion code that seems to work, and by using the same code over and over, we seem to build reliable data entry modules. Now that I've said this, the data gods will strike me with lightning, but even in big shops (I've done a couple of 200+ developers jobs in 25 years) it's standardization of specific items like this that tend to allow you to focus on task, and not have to be the security expert every time. This is not a soapbox for re-usable code per se - nor to squash creativity, but it is more reliable to develop 12 or 15 input routines that scrub input and re use them, than it is to reinvent the wheel every day. Security appliances are good but imperfect. They have a place, for sure. If your e-commerce form is generating data input by plunking down variables that are supposedly generated by your own database of items, it is foolproof to compare the input stream with what's expected, and to puke out the unexpected. You have the ability to compare what 'should be' with 'what is' ; you know what you expect. You also know what you'd NEVER allow. That kind of logic, once written is easy to standardize, and is much better than high horsepower device that looks for stuff that's not related to your application, and costs a ton of cash to buy and update. I'd rather put more $$ into bandwidth and servers than appliances. My .02 Marty Block Kesem.net -----Original Message----- From: Matthieu Estrade [mailto:mestrade () apache org] Sent: Thursday, February 17, 2005 4:57 PM To: webappsec () securityfocus com Subject: Re: ISA Server and SQL Injection Bogdan Tomchuk wrote:
Protection against this kind of injection is just other way of patching the code, so useless, because this assume knowing difference between "good" and "bad" URL, so for OWA, for example, you define list of templates for all known "good" URL and anything else will be consider as SQL injection. I do not understand why to spend money on expensive firewall staff if you can patch or upgrade software.
Sure, if the patch is available. (A webapp firewall is a protection against way to exploit a web app vulnerability, not against some identified vulnerable application only). So patching is not the only solution. if it was, explain me why so many system are vulnerable to worm that exploit old vuln, and today, some worm are still doing so much disaster. Now tell me how you protect a web app developped by an internal team, a custom web app. Which patch are you waiting and from who ??? i am not sure each company do automatic and permanent web vulnerability assessment.
Keep your software current is always better then "imaginable" security given by software level firewall especially against SQL injection.
In a perfect world, maybe... You should say this to big companies with security team, they are all dumb and do not understand security. they should not use firewall but only windows update program or apt-get dist upgrade ;) Do you know the life of a vulnerability ? many times, the vuln stay private, then public and then vendors do patch. How long between the private and the patch ?? sometimes few days, sometimes years... So you stay vuln during all this time because you are "up to date !!!" Many big companies separate the team doing security, the one doing web dev, the one maintaining the network etc... All these team are not synchronized on what happen in each other. When the security team is not in contact with the app guy and they are in charge of security. What are they doing ? they install some web app firewall to prevent attack.
Current thread:
- ISA Server and SQL Injection Rafael San Miguel (Feb 14)
- Re: ISA Server and SQL Injection Tim Hoolihan (Feb 17)
- <Possible follow-ups>
- RE: ISA Server and SQL Injection John Steer (Feb 15)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 16)
- Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 16)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Marty Block (Feb 19)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 16)
- Re: ISA Server and SQL Injection fantomas (Feb 28)
- Re: ISA Server and SQL Injection Darren Bounds (Feb 16)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)