Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 SQL Server Administration (2000)
 Security Testing: SQL Injection

Author  Topic 

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 05:26:20
Hi,

My web server has MsSql at the back-end and asp at the front-end. A UserID, Password, and a dynamically generated code field are present on the website for the user to logon. UserID field takes an EMAIL address as input. There are other features in the website such as search n advanced search, cart etc.

At the back-end, stored procedures are used. However, according to a recent audit done on the site using Acunetix v3.0 the results have been otherwise. A clear possibility of successful Sql injection attack has been shown in the report (in the search, advanced search field and certain other pages).

I have tried & worked out injection strings to my understanding and knowledge of this subject. I also studied the report generated by the Acunetix with the tested parameters making site vulnerable. However, the security of the website could not be completely tested with these information.

My question and concern is:

- Does using stored procedures not thwart the Injection attack?
- I have a limited experience in the sql coding. However I'm studyin the subject n willing to learn n experiment with the subject considering the urgency of performing audit. How can I test the security myself (with or without the third-party tools)?

I need to test in max. possible detail considering the possible methods that intruders may employ. I understand this might be a difficult question to explain for someone & work out for me as well but I kno its an achievable metric.

Your opinions and suggestions are welcome.
Thanks.

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2006-05-05 : 08:01:32
proper use of stored procedures makes injection impossible.
no exec('stuff')

can you show us how are you performing advanced searches and searches?

also read this:
http://weblogs.sqlteam.com/jeffs/archive/2006/04/21/9651.aspx


Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 08:57:56
spirit,

According to the results I received from Acunetix, certain pages - Search, Advanced Search, Cart - were susceptible to Injection, Css scripts, parameter manipulation etc. I used the parameters with which Acunetix tested the pages, manually entering them in the respective fields, with no positive results.

I tested the 'Forget Password' option (forgetpassword.asp) on my site with few strings. Though I couldnt any deep, still I was able to gather little information as Table-name, field-names from it. Though the developer team is confident that the db is all safe, I doubt so. Please find below the strings that I tested the page with:

A)
' having 1=1--

Column 'table_name.col_pwd' is invalid in the select list
because it is not contained in an aggregate function and there is no GROUP BY clause.
/pagename/page1.asp, line 41

B)
' group by table_name.col_username having 1=1--

Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'table_name.col_pwd' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/pagename/page1.asp, line 41

C)
' union select count(col_pwd) from table_name--

Microsoft OLE DB Provider for SQL Server error '80040e07'
The sum or average aggregate operation cannot take a varchar data type as an argument.

/pagename/page1.asp, line 41

D)
' union select sum(col_username) from table_name--

Microsoft OLE DB Provider for SQL Server error '80040e07'
The sum or average aggregate operation cannot take a nvarchar data type as an argument.

/pagename/page1.asp, line 41

E)
' OR 1=1-- OR desc table_name;

' OR 1=1-- UNION desc table_name;

Your Pasword has been sent to your Email address.

F)
' union select min(col_username),1,1 from table_name where col_username > 'a'--

Microsoft OLE DB Provider for SQL Server error '80040e14'
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.

/pagename/page1.asp, line 41

G)
' union select * from master..sysobjects

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string ''.
/pagename/page1.asp, line 41

---

I need to test the site and verify the Acunetix report.

Your suggestions and guidance is welcome.

Thanks.
Go to Top of Page

jen
Master Smack Fu Yak Hacker

4110 Posts

Posted - 2006-05-05 : 09:24:53
using sproc is not enough, you need to suppress the descriptive error messages that are invoked when an error is encountered

usually, these error messages appear because they were not handled within the program, but if you catch these errors and display custom messages, those messages giving you bits of information won't show...

from there you can employ your own audit, you can just show error numbers instead of descriptive text and log that down and any other information you need

hope that makes sense...

--------------------
keeping it simple...
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2006-05-05 : 09:38:43
she's right. as usual...

the proper way for and input mask, be it web or win, is:
1. enter the data
2. press submit
3. validate data before going anywhere near the sql.
4. put valid data into parameteres
5. execute db stuff
6. enjoy

Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 09:49:55
true. jen & spirit.

however, what I need is to know the kind of strings to use upon my site.
First, I need to test the site. Securing the flaws is the next step. I need to find and show the flaws to the development team so they know and implement code correctly in the other projects.

Any suggestion with this regard is Welcome.

Thanks for your efforts. :)
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2006-05-05 : 10:04:23
well it seems to me you got your strings chosen preety well...
you posted the messages you got. show that to your dev team.
tell them to surpress the error messages and to validate the data.

Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 10:25:32
quote:
Originally posted by spirit1

well it seems to me you got your strings chosen preety well...
you posted the messages you got. show that to your dev team.
tell them to surpress the error messages and to validate the data.

Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]




well, true that I shud show these to the dev. team. but, I must differ that these strings are sufficient enough. As a security tester, we need to go forth n aim at reaching deeper than is expected. However, right now, I have only very basic level of awareness of the db. Considering this is completely black-box, I am humble enough to admit that these strings are just A of A-Z. I need to know more strings, the concept behind them to understand and perform the testing completely.

I am lookin for more suggestions for hittin my site.

Spirit Thanks for your reply. I appreciate your suggestions. :)
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2006-05-05 : 10:35:51
well you could post you site here and a bunch of us could have a field day playing "crash you site"

Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2006-05-05 : 10:44:41
you could try this at your own risk of course:
';drop table tablename'

then if it works you could go with
drop database dbName


however be sure to backup everything prior doing this and it's not my fault
if you get fired/lose money/etc.
you've been warned




Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 10:47:59
quote:
Originally posted by spirit1

well you could post you site here and a bunch of us could have a field day playing "crash you site"

Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]




someone's play can be loss of many. so i cant ;)
If your bunch can do 'that', this bunch 'might' also be able to shed some light on my concern. Perhaps!
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 10:51:42
quote:
Originally posted by spirit1

you could try this at your own risk of course:
';drop table tablename'

then if it works you could go with
drop database dbName


however be sure to backup everything prior doing this and it's not my fault
if you get fired/lose money/etc.
you've been warned




Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]




it doesnt work.
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts

Posted - 2006-05-05 : 10:52:06
lucky you

Go with the flow & have fun! Else fight the flow
Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 10:55:53
well am still lookin for more information.

Knowledge never ends. :)
Go to Top of Page

jen
Master Smack Fu Yak Hacker

4110 Posts

Posted - 2006-05-05 : 10:58:09
well, you needn't worry then, just mask the error messages...
unless you don't trust your dev, give us a try and we'll provide you recommendations afterwards

without actual involvement it's really difficult to provide insights

backup the database before you provide the url, good plan eh?
or stage it in a dev server, you get free QA



--------------------
keeping it simple...
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 11:07:14
quote:
Originally posted by jen

well, you needn't worry then, just mask the error messages...
unless you don't trust your dev, give us a try and we'll provide you recommendations afterwards

without actual involvement it's really difficult to provide insights

backup the database before you provide the url, good plan eh?
or stage it in a dev server, you get free QA



--------------------
keeping it simple...




Jen. Thanks for the offer.
considering the kind of db, I cant. Was just thinkin about the report by Acunetix suggesting possible manipulation. May be i need to wait till more people with more info n guidance on this subject comes across this post.

Thanks :)
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2006-05-05 : 11:10:11
A couple of extra rules to live by.

1. NEVER trust user input.
2. Use strongly typed variables wherever possible. I.E. if you are expecting an integer, make sure you store it as an integer so that anything else will throw an exception before it gets near your database. Similarly, stored proc parameters work well here too.
3. Check the length of user submitted strings, use maxlength on html input boxes.
4. Remove nasty characters or characters you know you don't need before letting them anywhere near the database (or writing them back to the page, do a google on cross site scripting to find out what I mean).
5. Run your database access account with least priveledge, if you are using procs, only allow execute permissions on the procs to the user account your web app is using. That way there is no way an attacker can read or write data, drop tables, or do any other administrative nasties. NEVER EVER run as SA (if you do that, and you have an sql injection hole, an attacker can get at xp_cmdshell and own your entire server / network).

That's all I can think of for now

I did a demo of some of these things to a team of devs and a network admin recently. It was fun to watch their jaws hit the ground as I dropped tables, wrote files and stopped the DB server all from an unsecured web app.



Damian
"A foolish consistency is the hobgoblin of little minds." - Emerson
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2006-05-05 : 11:13:58
Here's another good one.

http://tinyurl.com/k3e6v



Damian
"A foolish consistency is the hobgoblin of little minds." - Emerson
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-05 : 11:24:52
Merkin,

I need to give my inputs to the dev. team with the 'Action Taken n Recommendations' showin the strings n parameter manipulations that could affect our site(s). As of now, without appropriate testing, the recommendations to the dev team will still be incomplete.

You have given good suggestions with your experience. Though this is a new task; I am willing to learn, test the stuff.

Thanks for your points. :)
Go to Top of Page

karn
Starting Member

14 Posts

Posted - 2006-05-08 : 02:42:38
Merkin,

I have been able to gather up quite a number of points on how to secure the db from Injection n similar attacks now.

However, I still havent got much clue on how to 'do' the testing manually. What kind of strings could be used for reconnaissance, enumeration, n in further exploiting & testing the db.

It appears to be a difficult question for people to answer.

Am still open for answers n suggestions. :)
Thanks.
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2006-05-08 : 03:34:12
That is too much of an ask for someone to put it all into a forum post.
The basic answer is :

1. Know SQL really really well
2. See what you can exploit.

A book could be written on it, but I don't have the time right now.
If you have the task of recommending to the developers how they should test and secure thier app, then you are in a position I do not envy. You should tell them to read this thread, and look at www.sqlsecurity.com

Failing that, you could hire someone to do an audit on it. This would be made quicker by supplying source code.



Damian
"A foolish consistency is the hobgoblin of little minds." - Emerson
Go to Top of Page
  Previous Page&nsp;  Next Page

- Advertisement -