Lightswitch Security, Protection against SQL Injection attacks etc.
Hi all,
I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
Is anyone aware of such documentation? I found this but it barely scratches the surface:
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
Thanks for any help, I am amazed that it is so difficult to find?
LS is a tool built in top of other technologies including Entity Framework.
Here is a security doc about EF.
http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
LS uses Linq to Entities and therefore is not susceptible to SQL injection.
HTH,
Josh
PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier. In that case, the web.config which contains connection strings is on the client machine, which is a risk. Here is a discussion related
to db security & 2 vs 3-tier.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch
Similar Messages
-
CS3/CS4 protecting against SQL Injection
Hi:
I was wondering if the newer versions of Dreamweaver like CS3/CS4 do a good enough job to protect against SQL Injection when using the built in Insert/Update/Delete behaviors or should I use Commands with Stored Procedures (MS SQL)?
Thanks!
MitchDavid , Günter - many thanks for your help !
In my ignorance I appear to have been misled by my website host who, in response to a related problem, informed me as follows:
"your website's scripting does appear to be highly vulnerable to SQL injection attack, this can be easily seen via the following example:
/s-sub_detail.php?cat_id=TEST
As you can see, arbitrary data entered as the cat_id variable of the shopping cart script is being passed unchecked to the SQL server, which is then returning a notice relevant to the data passed (in the above example case this is an "unknown column" error) - This effectively demonstrates that your shopping cart script performs no validation on variables used within the script and passes them directly to the SQL server, which means arbitrary commands can potentially be added as variable data for the SQL server to execute.
In order to correct this all variables and any other posted data used by the shopping cart script must be fully validated by the script itself before being passed to the SQL server so that SQL commands cannot be executed by simply manually entering these as a script variable".
Thanks to David I understand the issue with the need for data validation but the response above appears to indicate that they believe there is more to it.
David and Günter - I would welcome your response to the above and perhaps recommendations for SQL injection vulnerability testing.
Kind regards
J -
SAP ABAP Secure Coding. Protection against SQL Injection
Dear community,
I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
Thanks a lot!
Moderator Message: if you need a poll support from SCN, then there is an area http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
Message was edited by: Kesavadas ThekkillathDear community,
I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
Thanks a lot!
Moderator Message: if you need a poll support from SCN, then there is an area http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
Message was edited by: Kesavadas Thekkillath -
Preventing/securing against sql injection attacks
What's the best way to go about trying to secure/prevent from mysql injection attacks.
I guess this is not so good?
$JobTitle = $_POST['JobTitle'];
$sql = 'SELECT * FROM jobs WHERE JobTitle = "'.$JobTitle.'"';
So I'm currently using the mysqli real_escape_string:
$JobTitle = $_POST['JobTitle'];
$JobTitle = $conn->real_escape_string($JobTitle);
$sql = 'SELECT * FROM jobs WHERE JobTitle = "'.$JobTitle.'"';
or I could use:
$sql = 'SELECT * FROM jobs WHERE JobTitle = "$_POST['JobTitle'];"';
but I don't know about the above having not used it at all.
or I could use prepared statements which I dont particularly want to do because they are so long-winded especially when you have about 20 or so rows of data to insert/update into a database table
???????????????????? (ssssssssssssssss) I mean who the **** can keep track of that ****
Is there anything bad about using the below (no user input i.e., $_POST or $_GET)
$date = date('Y-m-d');
$sql = 'SELECT * FROM jobs WHERE jobDate < "'.$date.'"';
Just trying to get a handle on reasonable practices to use, when and where.
Any thoughts
Cheers
OsHi Ken,
Thanks for that. It seems as though this area is a bit of a grey one. I've searched just about everywhere and can't find any kind of difinitive answer.
I'm specifically exploring sqli as that is the way ahead now that sql is being dropped from future php releases.
I'm using prepared statements to insert and update the database and boy are they a pita to work with. My eyes can't cope with it....simply ridiculous to have to keep track of the binding method:
??????????????????????? and sssssssssssssssssss
Was looking for something simpler when selecting results to display on a page. Think for now I'll just go with the real_escape_string method and hope it provides some form of security.
$foo = $_POST['foo'];
$foo = $conn->real_escape_string($foo);
I'll just assume there is no risk if a user can't input any data i.e,
$variable = "foo";
SELECT * from table Where id = "'.$variable.'" -
CFInsert/Update: protection against SQL injection?
Hello,
I'm trying to find out if the use of CFInsert or CFUpdate
offers any protection against a SQL Injection attack. We are on a
project that uses many CFInserts and Updates, and lack the time to
rewrite new queries using CFQueryParam. Will a CFInsert or Update
handle the situation?Validate every field before you get to the cfinsert/cfupdate
tag, something you should have been doing anyway. -
Spry to block script characters to protect against sql injection
I am new so please be patient and I hope I am in the right forum. I would like to set up a Spry widget that I could apply to forms in my site for text area. This would block any code like <> * and only allow a-zA-Z and 0-9. I would like to be able to add this widget to Dreamweaver so that I can call it up any time I add a text area. I am hoping to use this to block SQL injection on my sites.
Can this be done by a rookie?
Thanks!Sure it can be done, but there are some flaws in your idea. Having a client side validation is always good for the user experiance, but these validations are only executed client side, and when the user has javascript enabled. So when you users disable javascript they would probably still be able to create SQL injections.
So I wouldn't really use client side validations for you issue, but search for a server side alternative. Most server side languages already provide you with utilities you can use to prevent the most common SQL injection types. So you might want to digg in to that first. -
Any Admins aware of possible SQL "injection" attacks like this?
For example in your web sites login.asp or similar:
select * from users
where uname='%value1%'
and pwd='%value2%'
where %value1% equals "garbage"
and %value2% equals "garbage' or TRUE or '"
select * from users
where uname='garbage'
and pwd='garbage' or TRUE or ''
Useful source of security info:
http://www.nextgenss.com/news.html
Get Oracle Security Patches:
http://otn.oracle.com/deploy/security/alerts.htm
Adeeva.There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
RETURN INTEGER
IS
x INTEGER;
sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
BEGIN
EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
RETURN x;
END;
This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
Nothing is foolproof but at least it makes it harder for them. -
Preventing Sql Injection Attacks
Please see my posting on "Sql Injection" in the Technologies\Security forum. I am interested in preventing sql injection attacks on our server. It was difficult to decide where to post it as it is a security issue but it may be general server issue. Or is it???
It would have helpful if you had either repeated the text of your other post here, or else included a link Sql Injection.
Tom Best posted a link to an interesting sounding paper in Injection Attack. I haven't had the chance to read it yet, but it is probably the best best place to start (as no-one else posted to that thread).
Cheers, APC -
Preventing sql injection attack
string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
OleDbConnection myConnection9 = new OleDbConnection(objConn9);
string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
myCommand9.Parameters.Add(":username", txtUsername.Text);
myCommand9.Parameters.Add(":password", txtPassword.Text);
myConnection9.Open();
myCommand9.ExecuteNonQuery();
myConnection9.Close();
i'm using this code to try to remove the problem of
users entering a comma or an semi colon and throwing off my query, but its not working...
is there an easy way to insert text values into oracle 8i
that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.netI may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
It is only when concatenating a string together to make a sql statement that injection attacks can occur.
See
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
and search for injection.
Or just go to
http://asktom.oracle.com
and search for "sql injection bind variable" for lots of other references. -
After an SQL injection attack I followed the advice to use
cfqueryparam in my cfquery statements. Unfortunatley this does not
seem to have worked as many records in my database have again been
appended with scripts linking to javascript files on another
website.
I haven't coded in Coldfusion in a while and would really
appreciate it if someone could take a look at the code of one of my
pages and let me know if I have missed anything or miss coded the
cfqueryparam tag.
Thanks in advance
NeilYou can add the following code to your application file.
<!--- CREATE SQL REGULAR EXPRESSION--->
<cfset sqlregex = "
(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+)|
(DROP\sTABLE\s[\d\w\'\=]+)">
<!--- CHECK FORM VARIABLES --->
<cfloop collection="#form#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(form)>
<cfabort>
</cfif>
</cfloop>
<!--- CHECK URL VARIABLES --->
<cfloop collection="#url#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(url)>
<cfabort>
</cfif>
</cfloop>
Good luck
Mamdoh
P.S: The credit for the script go to sys-con.com -
Protect From SQL Injection in ASP
Hi, can anyone tell me different ways of how to protect from
SQL Injection in ASP via DW or other means? I thought there was
something in DW that would automatically do that.
This would be a simple text form field which will allow
visitors to search for a product from a db.
thanksGoogle "SQL Injection ASP".
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
==================
"ed19" <[email protected]> wrote in message
news:g9s98d$6nn$[email protected]..
> Hi, can anyone tell me different ways of how to protect
from SQL Injection
> in
> ASP via DW or other means? I thought there was something
in DW that would
> automatically do that.
>
> This would be a simple text form field which will allow
visitors to search
> for
> a product from a db.
>
> thanks
> -
Sql injection attack - need help changing ASP code
Our web server was attacked yesterday by SQL injection. So I
quickly learned about the holes in the code that was generated by
Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP
code; however I need more information for my particular case. I
don't know how to get my cursor type and location settings into the
new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append
Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page
(although secured from SQL injection) is not working properly.
Thanks,
--Jen
--JenThe new snippet is not vulnerable to SQL injection. It uses a
command
object and actual defined parameters, so you're safe. You
cannot change the
cursor type or location on that object.
"jennday" <[email protected]> wrote in
message
news:f85omh$ngg$[email protected]..
> Our web server was attacked yesterday by SQL injection.
So I quickly
> learned
> about the holes in the code that was generated by
Dreamweaver MX 2004.
> I found the help article on the Adobe website to fix the
ASP code; however
> I
> need more information for my particular case. I don't
know how to get my
> cursor type and location settings into the new code. -
It has a yellow triangle next to it with a ! in it.
That is a legitimate message from Mozilla. Support has ended for Firefox 3.5.19. You need to upgrade to a newer version of Firefox. The hyperlink takes you to a download page for Firefox 4.0.1 and Firefox 3.6.17 is available here - http://www.mozilla.com/en-US/firefox/all-older.html
-
What is SQL Injection?
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
An attack against a database using SQL Injection could be motivated by two primary objectives:
1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
* JSP
* ASP
* XML, XSL and XSQL
* Javascript
* VB, MFC, and other ODBC-based tools and APIs
* Portal, the older WebDB, and other Oracle Web-based applications and API’s
* Reports, discoverer, Oracle Applications
* 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
* Perl and CGI scripts that access Oracle databases
* many more.
Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
[http://www.securityfocus.com/infocus/1644]
how oracle prevent sql injections?mango_boy wrote:
damorgan wrote:
And they do so using bind variables
http://www.morganslibrary.org/reference/bindvars.html
and DBMS_ASSERT
http://www.morganslibrary.org/reference/dbms_assert.html
do you have any suggestion for mysql users??Yes. Install Oracle. -
SQL Injection on CallableStatement
I will try to post this all in one line, as the tags are not working today. I know that one should use PreparedStatement over Statement to obviate the thread of a SQL injection attack. Is CallableStatement vulnerable as well? For reference, this would be running against an Oracle RDBMS. Thanks!
- SaishI guess there is no hard-and-fast rule.Well, I guess the hard and fast rule is "only use
bound variables". If you've got a sane database
design then that shouldn't cause you any problems.
Dave.I agree. I was approaching the issue mainly from a security perspective in locking down a legacy system against SQL injection attacks. Using Eclipse, I was able to zero-in on usages of Statement fairly easily. But the more I looked into CallableStatement, the more I realized that I woud have to inspect each invocation manually. (Just in case someone did not bind variables or built a dynamic SQL string).
- Saish
Maybe you are looking for
-
Mouse pointer invisible - intel 945GM
Hey people, thought I would document this in case others have problems. I have partially solved the issue, but if someone knows a better solution please contribute. I think this is specific to the intel xorg driver but not totally sure. I rebooted
-
I mean seriously, stop working on your earplugs and look at the cheap quality of your chargers. I'm really really disappointed with apple. I have always loved apple and been an i-gadget freak but your chargers just bring my spirit down. GO WORK ON YO
-
When I put my ATV 3 in sleep mode and play words with friends HD on my Ipad, the video commercials turn on my ATV and it says "playing on your Apple TV". I have mirroring turned off. How do I stop this?
-
I bought a used MacBook pro with lion. App,store asks forprevious owners password and their id is populated. That account has been deleted from users but how do I get it off app store. I want an app that they obviously bought at some point but I can'
-
All Day Recurring Events 1 Day early
Hi. Need some help here. All my All Day & Recurring Events are one day early when I do sync. Any one has any solution to it?