| Author |
Topic |
|
karn
Starting Member
14 Posts |
 Posted - 2006-05-05 : 05:26:20
|
| Hi,My web server has MsSql at the back-end and asp at the front-end. A UserID, Password, and a dynamically generated code field are present on the website for the user to logon. UserID field takes an EMAIL address as input. There are other features in the website such as search n advanced search, cart etc.At the back-end, stored procedures are used. However, according to a recent audit done on the site using Acunetix v3.0 the results have been otherwise. A clear possibility of successful Sql injection attack has been shown in the report (in the search, advanced search field and certain other pages).I have tried & worked out injection strings to my understanding and knowledge of this subject. I also studied the report generated by the Acunetix with the tested parameters making site vulnerable. However, the security of the website could not be completely tested with these information.My question and concern is:- Does using stored procedures not thwart the Injection attack?- I have a limited experience in the sql coding. However I'm studyin the subject n willing to learn n experiment with the subject considering the urgency of performing audit. How can I test the security myself (with or without the third-party tools)?I need to test in max. possible detail considering the possible methods that intruders may employ. I understand this might be a difficult question to explain for someone & work out for me as well but I kno its an achievable metric.Your opinions and suggestions are welcome.Thanks. |
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2006-05-05 : 08:01:32
|
proper use of stored procedures makes injection impossible.no exec('stuff')can you show us how are you performing advanced searches and searches?also read this:http://weblogs.sqlteam.com/jeffs/archive/2006/04/21/9651.aspxGo with the flow & have fun! Else fight the flow  Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"] |
 |
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 08:57:56
|
| spirit,According to the results I received from Acunetix, certain pages - Search, Advanced Search, Cart - were susceptible to Injection, Css scripts, parameter manipulation etc. I used the parameters with which Acunetix tested the pages, manually entering them in the respective fields, with no positive results.I tested the 'Forget Password' option (forgetpassword.asp) on my site with few strings. Though I couldnt any deep, still I was able to gather little information as Table-name, field-names from it. Though the developer team is confident that the db is all safe, I doubt so. Please find below the strings that I tested the page with:A)' having 1=1--Column 'table_name.col_pwd' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /pagename/page1.asp, line 41B)' group by table_name.col_username having 1=1--Microsoft OLE DB Provider for SQL Server error '80040e14' Column 'table_name.col_pwd' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /pagename/page1.asp, line 41C)' union select count(col_pwd) from table_name--Microsoft OLE DB Provider for SQL Server error '80040e07' The sum or average aggregate operation cannot take a varchar data type as an argument. /pagename/page1.asp, line 41D)' union select sum(col_username) from table_name--Microsoft OLE DB Provider for SQL Server error '80040e07' The sum or average aggregate operation cannot take a nvarchar data type as an argument. /pagename/page1.asp, line 41E)' OR 1=1-- OR desc table_name;' OR 1=1-- UNION desc table_name;Your Pasword has been sent to your Email address.F)' union select min(col_username),1,1 from table_name where col_username > 'a'--Microsoft OLE DB Provider for SQL Server error '80040e14' All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. /pagename/page1.asp, line 41G)' union select * from master..sysobjectsMicrosoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string ''. /pagename/page1.asp, line 41---I need to test the site and verify the Acunetix report.Your suggestions and guidance is welcome.Thanks. |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2006-05-05 : 09:24:53
|
| using sproc is not enough, you need to suppress the descriptive error messages that are invoked when an error is encounteredusually, these error messages appear because they were not handled within the program, but if you catch these errors and display custom messages, those messages giving you bits of information won't show...from there you can employ your own audit, you can just show error numbers instead of descriptive text and log that down and any other information you needhope that makes sense...--------------------keeping it simple... |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2006-05-05 : 09:38:43
|
she's right. as usual...  the proper way for and input mask, be it web or win, is:1. enter the data2. press submit3. validate data before going anywhere near the sql.4. put valid data into parameteres5. execute db stuff6. enjoy Go with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"] |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 09:49:55
|
| true. jen & spirit.however, what I need is to know the kind of strings to use upon my site.First, I need to test the site. Securing the flaws is the next step. I need to find and show the flaws to the development team so they know and implement code correctly in the other projects.Any suggestion with this regard is Welcome.Thanks for your efforts. :) |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2006-05-05 : 10:04:23
|
| well it seems to me you got your strings chosen preety well...you posted the messages you got. show that to your dev team.tell them to surpress the error messages and to validate the data.Go with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"] |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 10:25:32
|
quote:
Originally posted by spirit1
well it seems to me you got your strings chosen preety well...you posted the messages you got. show that to your dev team.tell them to surpress the error messages and to validate the data.Go with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
well, true that I shud show these to the dev. team. but, I must differ that these strings are sufficient enough. As a security tester, we need to go forth n aim at reaching deeper than is expected. However, right now, I have only very basic level of awareness of the db. Considering this is completely black-box, I am humble enough to admit that these strings are just A of A-Z. I need to know more strings, the concept behind them to understand and perform the testing completely.I am lookin for more suggestions for hittin my site.Spirit Thanks for your reply. I appreciate your suggestions. :) |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2006-05-05 : 10:35:51
|
| well you could post you site here and a bunch of us could have a field day playing "crash you site" Go with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"] |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2006-05-05 : 10:44:41
|
| you could try this at your own risk of course:';drop table tablename'then if it works you could go with drop database dbNamehowever be sure to backup everything prior doing this and it's not my fault if you get fired/lose money/etc.you've been warnedGo with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"] |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 10:47:59
|
quote:
Originally posted by spirit1
well you could post you site here and a bunch of us could have a field day playing "crash you site" Go with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
 someone's play can be loss of many. so i cant ;)If your bunch can do 'that', this bunch 'might' also be able to shed some light on my concern. Perhaps! |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 10:51:42
|
quote:
Originally posted by spirit1
you could try this at your own risk of course:';drop table tablename'then if it works you could go with drop database dbNamehowever be sure to backup everything prior doing this and it's not my fault if you get fired/lose money/etc.you've been warnedGo with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"]
it doesnt work. |
|
|
|
spirit1
Cybernetic Yak Master
11752 Posts |
Posted - 2006-05-05 : 10:52:06
|
| lucky you Go with the flow & have fun! Else fight the flow Blog thingie: [URL="http://weblogs.sqlteam.com/mladenp"] |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 10:55:53
|
| well am still lookin for more information.Knowledge never ends. :) |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2006-05-05 : 10:58:09
|
| well, you needn't worry then, just mask the error messages...unless you don't trust your dev, give us a try and we'll provide you recommendations afterwards without actual involvement it's really difficult to provide insightsbackup the database before you provide the url, good plan eh?or stage it in a dev server, you get free QA--------------------keeping it simple... |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 11:07:14
|
quote:
Originally posted by jen
well, you needn't worry then, just mask the error messages...unless you don't trust your dev, give us a try and we'll provide you recommendations afterwards without actual involvement it's really difficult to provide insightsbackup the database before you provide the url, good plan eh?or stage it in a dev server, you get free QA--------------------keeping it simple...
Jen. Thanks for the offer.considering the kind of db, I cant. Was just thinkin about the report by Acunetix suggesting possible manipulation. May be i need to wait till more people with more info n guidance on this subject comes across this post.Thanks :) |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2006-05-05 : 11:10:11
|
| A couple of extra rules to live by.1. NEVER trust user input.2. Use strongly typed variables wherever possible. I.E. if you are expecting an integer, make sure you store it as an integer so that anything else will throw an exception before it gets near your database. Similarly, stored proc parameters work well here too.3. Check the length of user submitted strings, use maxlength on html input boxes.4. Remove nasty characters or characters you know you don't need before letting them anywhere near the database (or writing them back to the page, do a google on cross site scripting to find out what I mean).5. Run your database access account with least priveledge, if you are using procs, only allow execute permissions on the procs to the user account your web app is using. That way there is no way an attacker can read or write data, drop tables, or do any other administrative nasties. NEVER EVER run as SA (if you do that, and you have an sql injection hole, an attacker can get at xp_cmdshell and own your entire server / network).That's all I can think of for now I did a demo of some of these things to a team of devs and a network admin recently. It was fun to watch their jaws hit the ground as I dropped tables, wrote files and stopped the DB server all from an unsecured web app.Damian"A foolish consistency is the hobgoblin of little minds." - Emerson |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2006-05-05 : 11:13:58
|
| Here's another good one.http://tinyurl.com/k3e6vDamian"A foolish consistency is the hobgoblin of little minds." - Emerson |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-05 : 11:24:52
|
| Merkin,I need to give my inputs to the dev. team with the 'Action Taken n Recommendations' showin the strings n parameter manipulations that could affect our site(s). As of now, without appropriate testing, the recommendations to the dev team will still be incomplete.You have given good suggestions with your experience. Though this is a new task; I am willing to learn, test the stuff.Thanks for your points. :) |
|
|
|
karn
Starting Member
14 Posts |
Posted - 2006-05-08 : 02:42:38
|
| Merkin,I have been able to gather up quite a number of points on how to secure the db from Injection n similar attacks now.However, I still havent got much clue on how to 'do' the testing manually. What kind of strings could be used for reconnaissance, enumeration, n in further exploiting & testing the db.It appears to be a difficult question for people to answer.Am still open for answers n suggestions. :)Thanks. |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2006-05-08 : 03:34:12
|
| That is too much of an ask for someone to put it all into a forum post.The basic answer is :1. Know SQL really really well2. See what you can exploit.A book could be written on it, but I don't have the time right now.If you have the task of recommending to the developers how they should test and secure thier app, then you are in a position I do not envy. You should tell them to read this thread, and look at www.sqlsecurity.comFailing that, you could hire someone to do an audit on it. This would be made quicker by supplying source code.Damian"A foolish consistency is the hobgoblin of little minds." - Emerson |
|
|
|
Next Page
|
Security Testing: SQL Injection