Sql Injection- Security
I have an urgent requirement that has to be implemented with regard to sql Injections.
My application went for security scanning process and found few security threats with regard to sql injection. we need your valuable support and guidelines to proceed further.
Project Details: Windows application, VS2008
Data Base: Sql Server 2008.
Listed out the issues type and its details elaborately:
Threat 1: During connection initialization
SqlConnection connection = new SqlConnection(connectionString);
At this line there is a chance of security threat. we are getting the connection string parameter from web.config as below
private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
Flaw Information
Type: Untrusted Initialization
Issue: External Control of System or Configuration Setting
Attack Vector: system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1
Function: int ExecuteNonQuery(string, System.Data.CommandType, string,
System.Data.SqlClient.SqlParameter[])
Threat 2 :
Type: SQL Injection
Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
Threat Line:
1. command.ExecuteNonQuery();
There are few more similar threats same as above. pointed out the threat line:
2. dataReader = command.ExecuteReader();
3. adapter.Fill(ds);
4. dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
I have doubt that the above lines of code are safe from sql injection ? if not how can an attacker attack .
One more thing like we are not at all passing any hard coded queries to DB. All the inputs are passed as a parameters.
I am not sure what kind of threat is there with this ( executeNonQuery(), Fill(dataset) and Connection initialization) and how to defend from malicious code/vulnerabilities.
Please help me out..... I will be waiting for your valuable support.
Thanks,
Purushotham. A
Thanks for your quick reply....
We are not passing the hard coded connection string value. We are getting it from Web.config.
SqlConnection connection = new SqlConnection(connectionString)
private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
when we pass on the connection string value as such is there any chance of threat from attackers.
Thanks,
purushotham.A
Similar Messages
-
SAP ABAP Secure Coding. Protection against SQL Injection
Dear community,
I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
Thanks a lot!
Moderator Message: if you need a poll support from SCN, then there is an area http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
Message was edited by: Kesavadas ThekkillathDear community,
I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
Thanks a lot!
Moderator Message: if you need a poll support from SCN, then there is an area http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
Message was edited by: Kesavadas Thekkillath -
Lightswitch Security, Protection against SQL Injection attacks etc.
Hi all,
I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
Is anyone aware of such documentation? I found this but it barely scratches the surface:
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
Thanks for any help, I am amazed that it is so difficult to find?LS is a tool built in top of other technologies including Entity Framework.
Here is a security doc about EF.
http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
LS uses Linq to Entities and therefore is not susceptible to SQL injection.
HTH,
Josh
PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier. In that case, the web.config which contains connection strings is on the client machine, which is a risk. Here is a discussion related
to db security & 2 vs 3-tier.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch -
Web and Database Security - SQL Inject info
Web and Database Security - SQL Injection.
Here is a whitepaper on The Dangers of Dynamic Content (SQL Injection)
http://www.issadvisor.com/viewtopic.php?t=125
SQL Injection. 3 parts. The first part discusses the basics of how to test
web applications for SQL injection vulnerabilities. The second part goes into
the specifics of how to manually identify and test for SQL injection
vulnerabilities. And the third part describes how to exploit SQL injection to
retrieve data from the database.
http://www.issadvisor.com/viewtopic.php?t=123
Understanding this critical security issue, helps web developers that leverage
database must design and make their applications more secure.
Hopefully these two links are informative and useful. Please pass them on.An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
Justin -
SQL Injection on CallableStatement
I will try to post this all in one line, as the tags are not working today. I know that one should use PreparedStatement over Statement to obviate the thread of a SQL injection attack. Is CallableStatement vulnerable as well? For reference, this would be running against an Oracle RDBMS. Thanks!
- SaishI guess there is no hard-and-fast rule.Well, I guess the hard and fast rule is "only use
bound variables". If you've got a sane database
design then that shouldn't cause you any problems.
Dave.I agree. I was approaching the issue mainly from a security perspective in locking down a legacy system against SQL injection attacks. Using Eclipse, I was able to zero-in on usages of Statement fairly easily. But the more I looked into CallableStatement, the more I realized that I woud have to inspect each invocation manually. (Just in case someone did not bind variables or built a dynamic SQL string).
- Saish -
Hello all-
I've got a server with a huge number of ColdFusion templates
(over 10,000) which I really need to protect agains SQL Injection.
I know that CFQUERYPARAM is the best way to do this. I'd love
to do it that way, but with so many pages, and so many queries it
would take weeks/months to fix the queries, then test to make sure
I didn't screw something up.
So, I've come up with a plan that I wanted to get some input
on.
Currently, I have a page on my server that is included in
almost every page that runs. It is a simple page that I can modify
to change the status of my systems in the event of a database
changeover, or some other sort of failure. (The pages still run,
but no updating is allowed, only reading)
Okay, so on this page which is always included, I was
thinking about analyzing the variables that come over. I was
thinking about looking for things that looked like a SQL injection
attack and blocking the page from running.
I wanted to know if this would work- anyone have ideas? This
would be great because I could protect the entire server in about
an hour. But, I don't want to give myself a false sense of security
if this won't really do the job.First, here are some simple things you can do to protect all
pages before you follow the other advice and plans in this thread:
In CF administrator, click on your datasources and then the
"Advanced" button.
There you will uncheck all but the read and stored procedure
and (possibly) write permissions. "Drop", "Create", etc., are
definite no-nos here.
If you haven't already, make one data source read-permissions
only and refactor your code to use it everywhere except for
carefully segregated updates, inserts and deletes.
Now, in SQL Server itself, remove all permissions from the
users that CF uses except for data_reader and (selectively) data
writer and exec permissions on any procedures or functions you use.
In SQL server, setup at least two CF users. One, should have
only the data_reader permission (plus any read-only stored
procedures).
Find articles, such as this one:
http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
and follow their advice, start with locking down xp_cmdshell.
These measures require little or no CF code changes but will
block all but the most determined and skilled hackers. You still
need to follow Adam's advice though.
BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
injection.
SQL server is not even the most vulnerable anymore (Studies
show that Oracle now has that "honor"). -
SQL Injection - cfqueryparam and other techniques to stop abuse?
We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
Thanks for any other suggestions.CFqueryparam is a good fist step, though you should note that it will not protect some queries. For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case. You will need to review data and validate for that.
You should also be checking for XSS vulnarabilities.
http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
The blog above has a great number of CF sercurity related posts.
Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
http://www.petefreitag.com/item/721.cfm
There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
http://portcullis.riaforge.org/
Finally there are several conferences in the CF world coming up, and all surely have some security sessions. You may want to attend. -
We have recently had an SQL injection attack on our site. The web form in question was calling a second cfm with a post command. The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
- implemented the cfqueryparam tag on all applicable fields being entered in the form
- introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
- consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
However, I am still getting intermittent injection errors into my MS SQL table. I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties. I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it. I've researched the web and found no assistance on how to use this utility. Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
Any assistance would be very much appreciated.Ian:
Thanks for the information. The utility is helpful and confirmed for me that my page was secure from SQL injection. The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack. A web vulnerability utility from Acunetix helped me determine that.
Thanks again,
...Wes -
Good night:
I'm trying to understand the use of oracleparameters in visual basic .net 2008. It is said that its goal is to avoid sql injection but as far as I know Oracle throws an exception every time you use a ;, so I assume it is not possible to inject malicious sql to oracle.
Does anybody knows if it's possible and how to do an sqlinjection to Oracle by means of an ado .net command?.
Thank youSection Understanding SQL Injection Attacks in Securing a .NET Application on the Oracle Database:http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_masteringdotnet.html shows examples in VB .Net.
-
SQL Injection from PL/SQL function.
WE have some issues with a third party application which has vulnerabilities to SQL Injection, we have delivered a proof of concept to the developers demonstrating that it is possible to return additional (unrestricted) results to the front end, we have also found the following function in the back end. Assuming that its possible to call this function (which it is) and we can pass in whatever we want and that the user has exp_full_database and imp_full_database roles granted is there anything destructive possible with the following function?
FUNCTION row_count (tab_name VARCHAR2) RETURN INTEGER AS
rows INTEGER;
BEGIN
EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || tab_name INTO rows;
RETURN rows;
END;
version 11.2.0.3, linux x86Simple example.
SQL> --// table to hack in production - we are going to nuke it
SQL> create table production_table1(
2 some_data number
3 );
Table created.
SQL> --// production code typically executes with production rights (authid definer)
SQL> create or replace function RowCount( tabName varchar2 ) return integer authid definer is
2 --// code executes with the privs of the owner of the code
3 cnt integer;
4 begin
5 execute immediate 'SELECT COUNT(*) FROM ' || tabName into cnt;
6 return( cnt );
7 end;
8 /
Function created.
SQL> --// expected use of production code
SQL> var i number
SQL> exec :i := RowCount( 'EMP' );
PL/SQL procedure successfully completed.
SQL> print i
I
14
SQL>
SQL> --// create the following in any schema that I, as hacker, have access to and the
SQL> --// right to create a procedure - and using "access/security escalation", I'm going
SQL> --// to get production code to run my code with production rights
SQL>
SQL> create or replace function InjectCode return integer authid current_user is
2 --// code executes with the privs of the caller of the code
3 pragma autonomous_transaction;
4 begin
5 execute immediate 'drop table PRODUCTION_TABLE1 purge';
6 return( 0 );
7 end;
8 /
Function created.
SQL>
SQL> --// production table is there
SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
OBJECT_TYPE OBJECT_NAME
TABLE PRODUCTION_TABLE1
SQL>
SQL> --// inject my code into production code
SQL> exec :i := RowCount( 'EMP where InjectCode() = 0' );
PL/SQL procedure successfully completed.
SQL> print :i
I
14
SQL> --// production table is nuked
SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
no rows selected
SQL> -
Sql injection attack - need help changing ASP code
Our web server was attacked yesterday by SQL injection. So I
quickly learned about the holes in the code that was generated by
Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP
code; however I need more information for my particular case. I
don't know how to get my cursor type and location settings into the
new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append
Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page
(although secured from SQL injection) is not working properly.
Thanks,
--Jen
--JenThe new snippet is not vulnerable to SQL injection. It uses a
command
object and actual defined parameters, so you're safe. You
cannot change the
cursor type or location on that object.
"jennday" <[email protected]> wrote in
message
news:f85omh$ngg$[email protected]..
> Our web server was attacked yesterday by SQL injection.
So I quickly
> learned
> about the holes in the code that was generated by
Dreamweaver MX 2004.
> I found the help article on the Adobe website to fix the
ASP code; however
> I
> need more information for my particular case. I don't
know how to get my
> cursor type and location settings into the new code. -
SQL Injection threat with APEX developed applications
We are using a tool, HP WebInspect, to scan some of our APEX developed applications for web application security testing and assessment. We are getting some critical and high vulnerabilities identified (see below) and would like to know if someone else has encoutered these and to determine a solution, whether it be a setting/settings within APEX or is it more related to the application and the way it was developed.
Critical:
Possible SQL Injection
File Names: • https://xxx.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
77-777-1911form%40value777.com+exists+in+our+records'+OR%2cwe+will+send+the+workspace+name
s+associated+with+this+email+address.+If+you+are+having+problems+receiving+the+workspace+name
s%2cplease+contact+your+administrator.%2fC34A0EF5494AB92C95AA4D0F7BF52332%2f
• https://busaff-test.utdallas.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
77-777-1911form%40value777.com+exists+in+our+records%2cwe%2bwill%2bsend%2bthe%2bworkspace
%2bnames%2bassociated%2bwith%2bthis%2bemail%2baddress.%2bIf%2byou%2bare%2bhaving%2bprob
lems%2breceiving%2bthe%2bworkspace%2bnames'%2bOR%2cplease+contact+your+administrator.%2fC3
4A0EF5494AB92C95AA4D0F7BF52332%2f
High:
Possible Username or Password Disclosure
File Names: • https://xxx.edu:443/pls/apex/f?p=104:101:1328157658320206:¬ification_msg=Invali
d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/
• https://xxx.edu:443/pls/apex/f?p=104:101:2360963243212364¬ification_msg=Invali
d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/You can help us by telling us your first name, putting it into your profile, and by selecting a friendlier handle.
The details you showed indicate no SQL injection possibilites whatsoever. The "Critical" examples also are unrelated to Application Express applications that you may have developed (application 4550 is the login application for the product itself and should rarely be used by end users in production environments).
Scott -
SQL Injection analysis report does not work.
I have tried to run the SQL Injection report (Home|Utilities|Object Reports Security|QL Injection but it comes up with the following message.
"SQL Injection analysis is not supported with your current database version. It is only available for Oracle release 10.2 or higher."
I have tried this as both an ordinary user and as system, on both Windows XP and LinuxThis is a bug in the XE Beta. The SQL Injection Analysis will not be accessible for XE production.
Joel -
Any Admins aware of possible SQL "injection" attacks like this?
For example in your web sites login.asp or similar:
select * from users
where uname='%value1%'
and pwd='%value2%'
where %value1% equals "garbage"
and %value2% equals "garbage' or TRUE or '"
select * from users
where uname='garbage'
and pwd='garbage' or TRUE or ''
Useful source of security info:
http://www.nextgenss.com/news.html
Get Oracle Security Patches:
http://otn.oracle.com/deploy/security/alerts.htm
Adeeva.There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
RETURN INTEGER
IS
x INTEGER;
sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
BEGIN
EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
RETURN x;
END;
This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
Nothing is foolproof but at least it makes it harder for them. -
SQL Injections and XSS - Escaping Special Characters
Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
NigelRecx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators.
Maybe you are looking for
-
Can't set form field properties
I'm using Acrobat Pro 9.3.1 on a Macbook Pro running Lion. When I create a form field, I can't set the properties of the field. Sometimes I get a "Bad Parameter" error message, and sometimes it just crashes the whole program. I've tried starting from
-
Hi All, Our scenario like.... source directory: /data/interface/xxx/file1.txt /data/interface/yyy/file2.txt /data/interface/zzz/file3.txt I want file will be archived in different directory. Archive directory... /data/interface/xxx/processed/file1_ti
-
IBooks will not sync to my iPod touch?
I have an iPod touch 2nd generation running iOS 4.2.1, and I noticed some of the books I wanted on my iPod were on my computer, but not on my iPod. I tried to sync them, but each time it says it has finished syncing extremely quickly, and the books d
-
Customizing PST error message in Outlook
Hi Does anybody know if it is possible to customize error messages in Outlook? In our Exchange 2013 Server/Outlook 2013/2007 environment we have the following GPO setting applied: User configuration\Policies\Administrative Templates\Classic Administr
-
Hello, I keep getting "Photoshop has quit unexpectedly" and loosing all my work. It happens a lot, and with no recover work feature I am getting pretty frustrated. I have lost hours of work. Many things seem to cause the crashes, there are some thing