SQL Injection & CF code Attacks

Similar Messages

• SQL Injection -- DBA role..

  Hi all,
  I'm working as a SQL Server DBA,Now a days we are facing issue with attacks(SQL Injection),most of attacks are taken care by Firewalls but still some attacks hitting Database.
  As a DBA  How to check whether database got effected
  Please help me by providing hints and tips to analysis SQL injection.
  Thanks in advance

  There is no easy ways to detect sql injection. You should analyze activity against databases and work with developers to address it.
  Basically, you can capture sql_completed/rpc_completed events in XEvent or SQL Trace and review them. Anything, which is not parameterized, could be the subject of injection attach (it depends on Client Code and implementation). 
  As the side note, script below provides you the list of the databases together with number of cached execution plans that were used just once. SQL Injection targets non-parameterized queries. So the databases with large number of single-used plans are more
  likely to be affected. In any case, do not rely on output much - large number of single-used plans could be just the sign of bad design rather than being affected. As I said, you need to review client app code just to be sure.
  select
  epa.value as [DB ID],
  db_name(convert(int,epa.value)) as [DB Name],
  count(*) as [Single Use Plans]
  from
  sys.dm_exec_cached_plans p
  cross apply sys.dm_exec_plan_attributes(plan_handle) AS epa
  where
  p.usecounts = 1 and
  p.objtype in ('Adhoc','Prepared') and
  epa.attribute = 'dbid'
  group by
  epa.value
  option (recompile)
  Thank you!
  Dmitri V. Korotkevitch (MVP, MCM, MCPD)
  My blog: http://aboutsqlserver.com

• SQL Injection - cfqueryparam and other techniques to stop abuse?

  We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
  First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
  What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
  Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
  Thanks for any other suggestions.

  CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.
  You should also be checking for XSS vulnarabilities.
  http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
  The blog above has a great number of CF sercurity related posts.
  Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
  http://www.petefreitag.com/item/721.cfm
  There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
  http://portcullis.riaforge.org/
  Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

• SQL Injection from PL/SQL function.

  WE have some issues with a third party application which has vulnerabilities to SQL Injection, we have delivered a proof of concept to the developers demonstrating that it is possible to return additional (unrestricted) results to the front end, we have also found the following function in the back end. Assuming that its possible to call this function (which it is) and we can pass in whatever we want and that the user has exp_full_database and imp_full_database roles granted is there anything destructive possible with the following function?
  FUNCTION row_count (tab_name VARCHAR2) RETURN INTEGER AS
  rows INTEGER;
  BEGIN
  EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || tab_name INTO rows;
  RETURN rows;
  END;
  version 11.2.0.3, linux x86

  Simple example.
  SQL> --// table to hack in production - we are going to nuke it
  SQL> create table production_table1(
    2          some_data       number
    3  );
  Table created.
  SQL> --// production code typically executes with production rights (authid definer)
  SQL> create or replace function RowCount( tabName varchar2 ) return integer authid definer is
    2  --// code executes with the privs of the owner of the code
    3          cnt     integer;
    4  begin
    5          execute immediate 'SELECT COUNT(*) FROM ' || tabName into cnt;
    6          return( cnt );
    7  end;
    8  /
  Function created.
  SQL> --// expected use of production code
  SQL> var i number
  SQL> exec :i := RowCount( 'EMP' );
  PL/SQL procedure successfully completed.
  SQL> print i
           I
          14
  SQL>
  SQL> --// create the following in any schema that I, as hacker, have access to and the
  SQL> --// right to create a procedure - and using "access/security escalation", I'm going
  SQL> --// to get production code to run my code with production rights
  SQL>
  SQL> create or replace function InjectCode return integer authid current_user is
    2  --// code executes with the privs of the caller of the code
    3          pragma autonomous_transaction;
    4  begin
    5          execute immediate 'drop table PRODUCTION_TABLE1 purge';
    6          return( 0 );
    7  end;
    8  /
  Function created.
  SQL>
  SQL> --// production table is there
  SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
  OBJECT_TYPE                    OBJECT_NAME
  TABLE                          PRODUCTION_TABLE1
  SQL>
  SQL> --// inject my code into production code
  SQL> exec :i := RowCount( 'EMP where InjectCode() = 0' );
  PL/SQL procedure successfully completed.
  SQL> print :i
           I
          14
  SQL> --// production table is nuked
  SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
  no rows selected
  SQL>

• Dreamweaver CS3 and sql injection....

  Any news if Dreamweaver CS3 will have the same "problems"
  brought on by the
  8.0.2 update to Dreamweaver 8?
  Thanks!

  Excellent...glad to hear it and I look forward to getting
  CS3. I held off
  on 8 because of the so called problems.
  "Murray *ACE*" <[email protected]> wrote
  in message
  news:[email protected]...
  > Yes, that's what I do. Honestly, I've not seen any
  problems there.
  >
  > --
  > Murray --- ICQ 71997575
  > Adobe Community Expert
  > (If you *MUST* email me, don't LAUGH when you do so!)
  > ==================
  >
  http://www.dreamweavermx-templates.com
  - Template Triage!
  >
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  >
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  >
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  > ==================
  >
  >
  > "Pizza Good" <[email protected]> wrote in
  message
  > news:[email protected]...
  >>I think it comes up more when you have a form and
  pass the values to a
  >>recordset which uses those values to query and filter
  a recordset.
  >>
  >>
  >> "Murray *ACE*"
  <[email protected]> wrote in message
  >> news:[email protected]...
  >>>I am processing form input, which I believe is
  where SQL injection comes
  >>>in.
  >>>
  >>> --
  >>> Murray --- ICQ 71997575
  >>> Adobe Community Expert
  >>> (If you *MUST* email me, don't LAUGH when you do
  so!)
  >>> ==================
  >>>
  http://www.dreamweavermx-templates.com
  - Template Triage!
  >>>
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  >>>
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  >>>
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  >>> ==================
  >>>
  >>>
  >>> "Pizza Good" <[email protected]> wrote
  in message
  >>> news:[email protected]...
  >>>> That's good, or perhaps you are not building
  the types of sites that
  >>>> may encounter the so called problems?
  >>>>
  >>>>
  >>>> "Murray *ACE*"
  <[email protected]> wrote in message
  >>>> news:[email protected]...
  >>>>>I have to say that I've used 8.0.2 with
  such things quite a bit and not
  >>>>>encountered *any* of the posted problems.
  >>>>>
  >>>>> --
  >>>>> Murray --- ICQ 71997575
  >>>>> Adobe Community Expert
  >>>>> (If you *MUST* email me, don't LAUGH
  when you do so!)
  >>>>> ==================
  >>>>>
  http://www.dreamweavermx-templates.com
  - Template Triage!
  >>>>>
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  >>>>>
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  >>>>>
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  >>>>> ==================
  >>>>>
  >>>>>
  >>>>> "Paul Whitham AdobeCommunityExpert"
  <[email protected]> wrote in
  >>>>> message
  news:[email protected]...
  >>>>>> Using stored procedures is a good
  safe guard against SQL injection
  >>>>>> because you have to define your
  parameter types, in much the same way
  >>>>>> that the parameters in the 8.0.2
  worked.
  >>>>>>
  >>>>>> Yes it did break a number of
  extensions because the underlying code
  >>>>>> was completely rewritten but it is
  my understanding that most of
  >>>>>> these were subsequently patched to
  work with it.
  >>>>>>
  >>>>>> --
  >>>>>> Paul Whitham
  >>>>>> Certified Dreamweaver MX2004
  Professional
  >>>>>> Adobe Community Expert - Dreamweaver
  >>>>>>
  >>>>>> Valleybiz Internet Design
  >>>>>> www.valleybiz.net
  >>>>>>
  >>>>>> "Pizza Good"
  <[email protected]> wrote in message
  >>>>>>
  news:[email protected]...
  >>>>>>>I think what he is referring to
  is the sql injection "prevention"
  >>>>>>>code that was introduced in the
  8.0.2 update. I read a bunch of
  >>>>>>>issues related to the way
  recordsets were coded and that a page that
  >>>>>>>was coded lets say in ASP using
  8.0.1 that had used QueryString
  >>>>>>>values that were passed into the
  recodset for filtering/searching no
  >>>>>>>longer worked. I also read that
  8.0.2 "broke" a lot of extensions
  >>>>>>>because of the fix.
  >>>>>>>
  >>>>>>> I am still using MX2004, but I'm
  curious if the supposed problems
  >>>>>>> that came up with 8.0.2 could be
  totally avoided if a programmer
  >>>>>>> used Stored Procedures?
  >>>>>>>
  >>>>>>> Hopefully that makes sense.
  >>>>>>>
  >>>>>>>
  >>>>>>> "Paul Whitham
  AdobeCommunityExpert" <[email protected]> wrote in
  >>>>>>> message
  news:[email protected]...
  >>>>>>>> Most of the change that was
  made to the recordset in 8.0.2 was to
  >>>>>>>> eliminate SQL injections.
  What specifically are you refering to as
  >>>>>>>> an issue now
  >>>>>>>>
  >>>>>>>> --
  >>>>>>>> Paul Whitham
  >>>>>>>> Certified Dreamweaver MX2004
  Professional
  >>>>>>>> Adobe Community Expert -
  Dreamweaver
  >>>>>>>>
  >>>>>>>> Valleybiz Internet Design
  >>>>>>>> www.valleybiz.net
  >>>>>>>>
  >>>>>>>> "Brendon"
  <[email protected]> wrote in message
  >>>>>>>>
  news:[email protected]...
  >>>>>>>>> Those that are beta
  testing it would know - if they were doing
  >>>>>>>>> serverside/sql related.
  It wouldn't be speculation at all - in
  >>>>>>>>> fact it would be pretty
  straight forward to test.
  >>>>>>>>> I'd be very surprised if
  they havn't fixed the issue - in fact I
  >>>>>>>>> thought it was fixed in
  the 8.0.2 update, but I could be wrong.
  >>>>>>>>>
  >>>>>>>>> Brendon
  >>>>>>>>>
  >>>>>>>>> "Deaf Web Designer"
  <[email protected]> wrote in
  >>>>>>>>> message
  news:[email protected]...
  >>>>>>>>>> DW CS3 is not here
  as yet.
  >>>>>>>>>>
  >>>>>>>>>> Only time will tell
  once you have DW CS3 installed on your
  >>>>>>>>>> platform and find
  >>>>>>>>>> out if that is the
  case.
  >>>>>>>>>>
  >>>>>>>>>> At this point, it is
  all speculation without knowing the fact of
  >>>>>>>>>> the problem.
  >>>>>>>>>> Try to be a bit more
  patient until official release of product
  >>>>>>>>>> sometime this
  >>>>>>>>>> spring.
  >>>>>>>>>>
  >>>>>>>>>
  >>>>>>>>>
  >>>>>>>>
  >>>>>>>>
  >>>>>>>
  >>>>>>>
  >>>>>>
  >>>>>>
  >>>>>
  >>>>>
  >>>>
  >>>>
  >>>
  >>>
  >>
  >>
  >
  >

• Sql injection attack - need help changing ASP code

  Our web server was attacked yesterday by SQL injection. So I
  quickly learned about the holes in the code that was generated by
  Dreamweaver MX 2004.
  I found the help article on the Adobe website to fix the ASP
  code; however I need more information for my particular case. I
  don't know how to get my cursor type and location settings into the
  new code.
  MY ORIGINAL CODE
  <%
  Dim Recordset1
  Dim Recordset1_numRows
  Set Recordset1 = Server.CreateObject("ADODB.Recordset")
  Recordset1.ActiveConnection = MM_Oncology_STRING
  Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
  Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
  Recordset1.CursorType = 0
  Recordset1.CursorLocation = 3
  Recordset1.LockType = 1
  Recordset1.Open()
  Recordset1_numRows = 0
  %>
  THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
  AND LOCATION ABOVE.
  <%
  Dim Recordset1
  Dim Recordset1_cmd
  Dim Recordset1_numRows
  Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
  Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
  Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
  WHERE Oncology_ID = ?"
  Recordset1_cmd.Prepared = true
  Recordset1_cmd.Parameters.Append
  Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
  Recordset1__MMColParam) ' adDouble
  Set Recordset1 = Recordset1_cmd.Execute
  Recordset1_numRows = 0
  %>
  What exactly is the 5,1,-1 in the code above?
  Any help would be very much appreciated as my ASP page
  (although secured from SQL injection) is not working properly.
  Thanks,
  --Jen
  --Jen

  The new snippet is not vulnerable to SQL injection. It uses a
  command
  object and actual defined parameters, so you're safe. You
  cannot change the
  cursor type or location on that object.
  "jennday" <[email protected]> wrote in
  message
  news:f85omh$ngg$[email protected]..
  > Our web server was attacked yesterday by SQL injection.
  So I quickly
  > learned
  > about the holes in the code that was generated by
  Dreamweaver MX 2004.
  > I found the help article on the Adobe website to fix the
  ASP code; however
  > I
  > need more information for my particular case. I don't
  know how to get my
  > cursor type and location settings into the new code.

• SQL Injection attack

  After an SQL injection attack I followed the advice to use
  cfqueryparam in my cfquery statements. Unfortunatley this does not
  seem to have worked as many records in my database have again been
  appended with scripts linking to javascript files on another
  website.
  I haven't coded in Coldfusion in a while and would really
  appreciate it if someone could take a look at the code of one of my
  pages and let me know if I have missed anything or miss coded the
  cfqueryparam tag.
  Thanks in advance
  Neil

  You can add the following code to your application file.
  <!--- CREATE SQL REGULAR EXPRESSION--->
  <cfset sqlregex = "
  (SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
  (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
  (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
  (DELETE\sFROM\s[\d\w\'\=]+)|
  (DROP\sTABLE\s[\d\w\'\=]+)">
  <!--- CHECK FORM VARIABLES --->
  <cfloop collection="#form#" item="formelement">
  <cfif isSimpleValue(evaluate(formelement)) AND
  refindnocase(sqlregex, "#evaluate(formelement)#")>
  <cflocation url="messages.cfm?message=Invalid Input.
  Possible SQL Injection attack.">
  <cfset StructClear(form)>
  <cfabort>
  </cfif>
  </cfloop>
  <!--- CHECK URL VARIABLES --->
  <cfloop collection="#url#" item="formelement">
  <cfif isSimpleValue(evaluate(formelement)) AND
  refindnocase(sqlregex, "#evaluate(formelement)#")>
  <cflocation url="messages.cfm?message=Invalid Input.
  Possible SQL Injection attack.">
  <cfset StructClear(url)>
  <cfabort>
  </cfif>
  </cfloop>
  Good luck
  Mamdoh
  P.S: The credit for the script go to sys-con.com

• Lightswitch Security, Protection against SQL Injection attacks etc.

  Hi all,
  I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
  In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
  issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
  Is anyone aware of such documentation? I found this but it barely scratches the surface:
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  Thanks for any help, I am amazed that it is so difficult to find?

  LS is a tool built in top of other technologies including Entity Framework.
  Here is a security doc about EF.
  http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
  LS uses Linq to Entities and therefore is not susceptible to SQL injection.
  HTH,
  Josh
  PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier.  In that case, the web.config which contains connection strings is on the client machine, which is a risk.  Here is a discussion related
  to db security & 2 vs 3-tier.
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch

• Preventing sql injection attack

  string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
                                OleDbConnection myConnection9 = new OleDbConnection(objConn9);
                                string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
                                OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
                                myCommand9.Parameters.Add(":username", txtUsername.Text);
                                myCommand9.Parameters.Add(":password", txtPassword.Text);
                                myConnection9.Open();
                                myCommand9.ExecuteNonQuery();
                                myConnection9.Close();
  i'm using this code to try to remove the problem of
  users entering a comma or an semi colon and throwing off my query, but its not working...
  is there an easy way to insert text values into oracle 8i
  that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.net

  I may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
  It is only when concatenating a string together to make a sql statement that injection attacks can occur.
  See
  http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
  and search for injection.
  Or just go to
  http://asktom.oracle.com
  and search for "sql injection bind variable" for lots of other references.

• SQL Injection Attacks

  Any Admins aware of possible SQL "injection" attacks like this?
  For example in your web sites login.asp or similar:
  select * from users
  where uname='%value1%'
  and pwd='%value2%'
  where %value1% equals "garbage"
  and %value2% equals "garbage' or TRUE or '"
  select * from users
  where uname='garbage'
  and pwd='garbage' or TRUE or ''
  Useful source of security info:
  http://www.nextgenss.com/news.html
  Get Oracle Security Patches:
  http://otn.oracle.com/deploy/security/alerts.htm
  Adeeva.

  There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
  One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
  PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
  RETURN INTEGER
  IS
  x INTEGER;
  sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
  BEGIN
  EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
  RETURN x;
  END;
  This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
  Nothing is foolproof but at least it makes it harder for them.

• I am using dreamweaver cs6 is it protected from various hacker attacks such as sql injection,xss,?

  i mean if i built a site using php and sql using dreamweaver cs 6 ...will it be protected from various hacker attacks such as sql injection,xss,spoofed form input,etc..?? if it is not protected...tell me where can i learn to protect my website using php and sql....from all types of hacker attacks...help needed.... thank you..:)

  A couple more comments.
  To guard against most of these security risks, you have to completely sanitize any user input whether processed further on subsequent pages or added to a database.  That complete sanitization usually involves stripping out any HTML/JavaScript, and blocking SQL-crashing equalities/inequalities.
  You can get alot of information about these and other methods on the Dreamweaver AppDev forum -
  http://forums.adobe.com/community/dreamweaver/dreamweaver_development?view=discussions
  which is where most server-scripting topics are discussed.

• Preventing Sql Injection Attacks

  Please see my posting on "Sql Injection" in the Technologies\Security forum. I am interested in preventing sql injection attacks on our server. It was difficult to decide where to post it as it is a security issue but it may be general server issue. Or is it???

  It would have helpful if you had either repeated the text of your other post here, or else included a link Sql Injection.
  Tom Best posted a link to an interesting sounding paper in Injection Attack. I haven't had the chance to read it yet, but it is probably the best best place to start (as no-one else posted to that thread).
  Cheers, APC

• SQL Injection, replace single quote with two single quotes?

  Is replacing a single quote with two single quotes adequate
  for eliminating
  SQL injection attacks? This article (
  http://www.devguru.com/features/kb/kb100206.asp
  ) offers that advice, and it
  enabled me to allow users to search name fields in the
  database that contain
  single quotes.
  I was advised to use "Paramaterized SQL" in an earlier post,
  but I can't
  understand the concept behind that method, and whether it
  applies to
  queries, writes, or both.

  Then you can use both stored procedures and prepared
  statements.
  Both provide better protection than simply replacing
  apostrophes.
  Prepared statements are simple:
  Set myCommand = Server.CreateObject("ADODB.Command")
  ...snip...
  myCommand.CommandText = "INSERT INTO Users([Name], [Email])
  VALUES (?, ?)"
  ...snip...
  myCommand.Parameters.Append
  myCommand.CreateParameter("@Name",200,1,50,Name)
  myCommand.Parameters.Append
  myCommand.CreateParameter("@Email",200,1,50,Email)
  myCommand.Execute ,,128 'the ,,128 sets execution flags that
  tell ADO not to
  look for rows to be returned. This saves the expense of
  creating a
  recordset object you don't need.
  Stored procedures are executed in a similar manner. DW can
  help you with a
  stored procedure through the "Command (Stored Procedure)"
  server behavior.
  You can see a full example of a prepared statement by looking
  at DW's
  recordset code after you've created a recordset using version
  8.02.
  "Mike Z" <[email protected]> wrote in message
  news:eo5idq$3qr$[email protected]..
  >I should have repeated this, I am using VBScript in ASP,
  with an Access DB.
  >

• Sql injection

  What is SQL Injection?
  SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
  An attack against a database using SQL Injection could be motivated by two primary objectives:
  1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
  2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
  There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
  * JSP
  * ASP
  * XML, XSL and XSQL
  * Javascript
  * VB, MFC, and other ODBC-based tools and APIs
  * Portal, the older WebDB, and other Oracle Web-based applications and API’s
  * Reports, discoverer, Oracle Applications
  * 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
  * Perl and CGI scripts that access Oracle databases
  * many more.
  Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
  The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
  While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
  Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
  1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
  2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
  The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
  [http://www.securityfocus.com/infocus/1644]
  how oracle prevent sql injections?

  mango_boy wrote:
  damorgan wrote:
  And they do so using bind variables
  http://www.morganslibrary.org/reference/bindvars.html
  and DBMS_ASSERT
  http://www.morganslibrary.org/reference/dbms_assert.html
  do you have any suggestion for mysql users??Yes. Install Oracle.

• SQL Injection Blocker

  Hello all-
  I've got a server with a huge number of ColdFusion templates
  (over 10,000) which I really need to protect agains SQL Injection.
  I know that CFQUERYPARAM is the best way to do this. I'd love
  to do it that way, but with so many pages, and so many queries it
  would take weeks/months to fix the queries, then test to make sure
  I didn't screw something up.
  So, I've come up with a plan that I wanted to get some input
  on.
  Currently, I have a page on my server that is included in
  almost every page that runs. It is a simple page that I can modify
  to change the status of my systems in the event of a database
  changeover, or some other sort of failure. (The pages still run,
  but no updating is allowed, only reading)
  Okay, so on this page which is always included, I was
  thinking about analyzing the variables that come over. I was
  thinking about looking for things that looked like a SQL injection
  attack and blocking the page from running.
  I wanted to know if this would work- anyone have ideas? This
  would be great because I could protect the entire server in about
  an hour. But, I don't want to give myself a false sense of security
  if this won't really do the job.

  First, here are some simple things you can do to protect all
  pages before you follow the other advice and plans in this thread:
  In CF administrator, click on your datasources and then the
  "Advanced" button.
  There you will uncheck all but the read and stored procedure
  and (possibly) write permissions. "Drop", "Create", etc., are
  definite no-nos here.
  If you haven't already, make one data source read-permissions
  only and refactor your code to use it everywhere except for
  carefully segregated updates, inserts and deletes.
  Now, in SQL Server itself, remove all permissions from the
  users that CF uses except for data_reader and (selectively) data
  writer and exec permissions on any procedures or functions you use.
  In SQL server, setup at least two CF users. One, should have
  only the data_reader permission (plus any read-only stored
  procedures).
  Find articles, such as this one:
  http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
  and follow their advice, start with locking down xp_cmdshell.
  These measures require little or no CF code changes but will
  block all but the most determined and skilled hackers. You still
  need to follow Adam's advice though.
  BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
  injection.
  SQL server is not even the most vulnerable anymore (Studies
  show that Oracle now has that "honor").