Re: [WEB SECURITY] Re: SQL In the Request

[bugtraq () cgisecurity net]

The longer I'm in this industry the more I'm thinking that educating developers is like trying to
stop the flow of illegal drugs. Sure you'll bust a few people, but a new crop is always around the corner.
I am thinking that we need to continue educating people however have a layered approach to 'babysitting' them.


Better Frameworks/Libraries/API's
Providing easy to use API's that make 'screwing up' more difficult I think is something that we need to continue
working on. Yes you always risk those being dependant on something or not fully understanding it but this is always
going to happen to newbie's. Good developers like to understand what's going on and this is something you learn with 
experience.
Unfortunately until people are educated and have this experience they make the same mistakes over and over again.
Babysitting the majority from opening up risk and providing the more experienced alternatives is something I think that 
we
need to strive for. I think .NET is a good start in this direction however doesn't address other languages.
CERT recently released the Managed String library (http://www.cert.org/secure-coding/managedstring.html) 
which is a good start for C however I think the industry as a whole really needs to start focusing on creating and 
enforcing
the usage of 'security helper' libraries. 

?Source Control?
We all know that source code analyzers need some work but can iron out the common stuff. The problem is
that if you don't use them you aren't going to find any issues unless you have an extensive code
review process. Simply put this isn't commonplace and is rather expensive. Enforcing coding practices
on the source control provider and preventing/alerting to the checking in of 'suspect' code is something I feel 
requires more open 
discussion. Back to my statement above if a newbie developer checks in bad code they aren't going to know its bad, and 
may not
have someone reviewing it and identifying the problem until it is to late. Preventing the usage of certain libraries 
in conjunction hybrid source code analyzer I think is something we really need to start investigating/talking about.
I'm not saying we'd block the code, obviously we'd need something configurable to monitor and inform a project 
manager/architect
and this wouldn't be a magic bullet to all development styles, but would catch some low hanging fruit.

My $3.50 
Comments/Flames welcome.

- Robert
http://www.cgisecurity.com/ Application Security news
http://www.cgisecurity.com/index.rss [RSS Feed] 


> I see this occasionally.  It normally comes from an
> amateur-trying-to-be-a-professional.  Indeed, developer education is
> needed badly.
>
> -----Original Message-----
> From: Nish Bhalla [mailto:nish () securitycompass com]=20
> Sent: Thursday, October 05, 2006 12:26 PM
> To: 'Erez Metula'; 'Ory Segal'; 'bryan allott';
> webappsec () securityfocus com; websecurity () webappsec org
> Subject: RE: [WEB SECURITY] Re: SQL In the Request
>
> Well funny thing is that I have seen a couple of seminar sites titled
> "Security for Developers" and one other Computer Security Conferences
> website that are vulnerable to the exact same SQL Injection
> vulnerability. I
> am surprized how people hold conferences on security and don't even do
> basic
> security checks.
>
> Nish.
>
> =20
> -----Original Message-----
> From: Erez Metula [mailto:erezmetula () 2bsecure co il]=20
> Sent: Thursday, October 05, 2006 1:01 PM
> To: Ory Segal; bryan allott; webappsec () securityfocus com;
> websecurity () webappsec org
> Subject: RE: [WEB SECURITY] Re: SQL In the Request
>
> Just to add another dumb example from real life, I did an application
> assessment a couple of months ago that had a page like this:
>
> http://AppName/QueryDB.jsp?sql=3Dsql_query
>
> it can't be worse than that..
>
> ________________________________
>
>
> Erez Metula, CISSP   =20
> Application Security Department Manager
> Security Software Engineer
> E-Mail:  erezmetula () 2bsecure co il      Mobile:  972-54-2108830
> Office: 972-39007530    =20
> =20
>
> -----Original Message-----
> From: Ory Segal [mailto:osegal () watchfire com]
> Sent: Thursday, October 05, 2006 6:38 PM
> To: bryan allott; webappsec () securityfocus com; websecurity () webappsec org
> Subject: RE: [WEB SECURITY] Re: SQL In the Request
>
> Hi,
>
> I actually saw this kind of blasphemy several years ago -- an
> application
> that builds a SQL query using client-side JavaScript. The complete SQL
> query
> was then passed as a hidden parameter to the web application...
>
> Go figure...
>
> -Ory Segal
> http://www.watchfire.com
>  =20
>
>
> -----Original Message-----
> From: bryan allott [mailto:homegrown () bryanallott net]
> Sent: Thursday, October 05, 2006 5:35 PM
> To: webappsec () securityfocus com; websecurity () webappsec org
> Subject: [WEB SECURITY] Re: SQL In the Request
>
>
> Just when i thought i had seen it all... -i come across a site which
> passes in the following as part of the REQUEST..
> yes, the SWF builds a request and sends it through to a php server... in
> plain text.
>
> POST /flashsql.php?id=3D106 HTTP/1.1
>
> =3D QUERYSTRING =3D=3D=3D=3D
>  id=3D106
>
> =3D BODY =3D=3D=3D=3D
>  host=3D<HOSTNAME>
>  sql_=3DSELECT DISTINCT(movies.id), movies.name, filename FROM movies LEFT
> JOIN groups_movies ON (movies.id =3D groups_movies.movie_id) LEFT JOIN
> groups ON (groups.id =3D groups_movies.group_id) LEFT JOIN files_groups ON
> (groups.id =3D files_groups.group_id) LEFT JOIN files ON (files.id =3D
> files_groups.file_id) WHERE movies.id IN(155,150,52,149,134,133,76) AND
> files.file_type_id=3D9 ORDER BY movies.id
>  dat=3Dsk_cms
>
> is there anyway that this can be "acceptable" ?=20
>
>
>
>
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:=20
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:=20
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:=20
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:=20
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Confidentiality Notice: This message is for the sole use of the intended re=
> cipient(s).
> It may contain confidential or proprietary information and may be subject t=
> o the
> attorney-client privilege or other confidentiality protections. If this mes=
> sage was
> misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries =
> waive any
> confidentiality, privilege, or trade secrets. If you are not a designated r=
> ecipient,
> you may not review, print, copy, retransmit, disseminate, or otherwise use =
> this message.=20
> If you have received this message in error, please notify the sender by rep=
> ly e-mail=20
> and delete this message.
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to 
use AppScan in client engagements. AppScan is the leading Web application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------