[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics

From: Dinis Cruz <dinis@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Date: Tue, 11 Apr 2006 08:11:05 +0100

Dain,

Can you also show us your stored procedure?

If in this stored procedure you concatenate (i.e. add) the parameters
received, you can still have a case of SQL Injection (I have seen
several cases of SQL Injection on Stored Procedures)

My preferred solution to handle (potentially) malicious data is to have
all inputs described with Metadata defining what they want to receive
(i.e. white list). This metadata (for example a RegEx) can then be
enforced by a data validation engines placed at input choke points. Even
more usefully this architecture allows for the easy analysis and audit
by security consultants.

This is exactly what I did on Foundstone's Validator .NET when used to
protect the latest version of Hacme Bank

Dinis Cruz
Owasp .Net Project
www.owasp.net

dpw wrote:
> Interesting - not being a java developer, I realize there's probably a
> disconnect. We prefer (and rely on) "parameterized queries" here.
>
> Being a simple unwashed heathen web-monkey, my term "parameterized query" is
> probably not the right term...
>
> What I refer to as "parameterized query" is the act of passing the stored
> procedure parameters into the connection via an array, rather than as
> strings. 
>
> ...in a nutshell:
>
> IDValue = Request("IDValue) 
> SQL = "Table_GetByID"
> ParameterArray = Array(IDValue)
> set RS = Exec(SQL,ParameterArray)
>
> function Exec(StoredProcedure,ParameterArray)
>     set cmd = Server.CreateObject("ADODB.Command")
>     cmd.Connection = GetConnectionString() 'defined elsewhere
>     cmd.CommandText = StoredProcedure
>     cmd.CommandType = 4
>     call cmd.Execute(,ParameterArray)
>     cmd.Connection.Close()
>     cmd = nothing
> end function
>
>
> Does anyone on this list have any feelings on whether or not this is a good
> way to defeat SQL injection? This seems to defeat everything we've been able
> to throw at it - though, we are not experts! 
>
> I would definitely appreciate your opinions on this.
>
> Dain White
>  
> Senior Developer / Webmaster
> First Step Internet - www.fsr.com
> 208-882-8869 ext. 440
>  
>
>
>
>
> -----Original Message-----
> From: Davidson, Michelle [mailto:MDavidson@xxxxxxxxxxxxxx] 
> Sent: Monday, April 10, 2006 2:15 PM
> To: dainw@xxxxxxx; websecurity@xxxxxxxxxxxxx
> Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column
> on biometrics
>
>
> I checked with the author on this, and here is what he said:
>  
> "I did cover it in my article, but it was more in terms of Java then ASP.
> If you look at point 9 of the 10 steps I mentioned in the article. It talks
> about using dynamic queries instead of static queries. Static queries are
> also known as parameterized queries and in point 9 I am trying to convey the
> same message. In Java parametrized queries are created by using Statement
> object and dynamic queries are created using PreparedStatement object. So,
> by avoiding Statement object, the developers are avoiding parameterized
> queries."
>  
> Michelle
>  
>
>
>
> From: dpw [mailto:dainw@xxxxxxx] 
> Sent: Monday, April 10, 2006 1:23 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column
> on biometrics
>  
> This is a well thought out article - though it omits mention of
> parameterized queries...
>  
> Does anyone on this list have information on why parameterized queries
> wouldn't be recommended to mitigate risk of SQL injection? 
>  
> Dain White
>  
> Senior Developer / Webmaster
> dainw@xxxxxxx 208.882.8869 X440
>
>  
>  
> -----Original Message-----
> From: Davidson, Michelle [mailto:MDavidson@xxxxxxxxxxxxxx] 
> Sent: Monday, April 10, 2006 9:57 AM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] Tip on preventing SQL injection attacks/column on
> biometrics
> A frequent contributor to SearchAppSecurity.com -- Anurag Agarwal -- has
> written a couple pieces you might be interested in. 
>  
> Note: Free registration to SearchAppSecurity.com required.
>  
>  
> SQL injection: Developers fight back
> http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179106,00.htm
> l?Offer=WASC
>  
> Biometrics replacing passwords: Does authentication get better or worse?
> http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179280,00.htm
> l?Offer=WASC
>  
>  
>  
> Michelle
>  
>  
> Michelle Davidson
> Editor
> SearchAppSecurity.com
> TechTarget
>  
> 4025 Sea Grape Circle
> Delray Beach, FL  33445
>  
> Phone: 561-302-1120
> Fax: 561-496-1860
> AIM: MicheDav910
>  
> TechTarget 
> The Most Targeted IT Media 
> www.techtarget.com 
>  
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>   



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
  - From: dpw

References:
- RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
  - From: dpw

Prev by Date: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Next by Date: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Previous by thread: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Next by thread: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site