WebApp Sec mailing list archives
Re: SQL Injection
From: "saphyr" <saphyr () infomaniak ch>
Date: Wed, 9 Jun 2004 07:44:36 +0200
Here's a little list of regex's that I put together for an article about how to build an HTTP Request Validation Engine (see http://www.aspectsecurity.com/stinger). If anyone knows of a more complete list with some better documentation, I think it could be pretty helpful for folks.
Interresting one. I once found that page: http://www.sklar.com/page/article/owasp-top-ten which is actually giving advice about a validation engine un php. Anyone heard of the same in asp ?
Architecturally, I think there's a strong case for a centralized validation engine, as opposed to putting a regex in front of every place you use something from the HTTP request.
Of course! The main advantage about using a centralized request validator is that you may have a continously improving regular expressions base and maintain them easily without refactoring. My code requires REs only by their business name and they're all maintained in the validator: var = Validator.GetQuery("var", Validator.PASSWORD); var = Validator.GetPost("var", Validator.EMAIL); var = Validator.GetSession("var", Validator.HTMLTEXT); ...
Here's a few quick questions to see if you're really validating well: - Is your validation scheme mandatory (developer doesn't have to remember to do it)
Being the only developper in my company, I mainly use self-discipline. I made myself a checklist of 'find in files' patterns to run with Ultra Edit and I know exactly what I never must find in the code = )
- Do you canonicalize before validating?
Not yet for my part. But I am aware I need to take time on this ASAP.
- Are you validating URL params, cookies, and other headers -- or just forms?
Everything.
- Do you catch extra, missing, and duplicate parameters, headers, etc...?
No. But I check for 'big unusual' things. Like if the user-agent changes during the session or the ip class changes, I consider it invalidated and force its destruction.
- If you detect a problem, what are your options (ignore, sanitize, continue, fatal, log, notify)?
I use to sanitize and log everything (get a good logger, it's worth it!). Using an error/"fatalisation" system is (from my point of view) already giving to much information to the potential attacker. In some cases, I ask for 'confirmation' about entered data. If somone enters " ' or true or ' " in his new account creation, the result would be: "is this login correct ? [ortrueor] " Psychology helps for that stuff: don't mention it and dont give the attention the attacker is requesting ; )
- Can you detect an attack based on repeated failed input validation?
yes. just get some patterns like quotes where they should never be. activate a triggered session value and when some threshold is reached, kill it.
- Is what you log different than what you show the user?
of course. I show the user: "there was an error during your request. This must be the developper's entire fault and he has been automatically warned about that problem. please click here to return to a stable area." and in the logs that would usually be: date{2004-06-10-07-36} sid{2348729384} ip{192.168.100.1} level{wrn} account {87}project{mywebapp} module{login} file {login.aspx.cs} call{AuthenticateUser} alert{quotes detected - 1st try - 2 tries left} cause{login=[' or true or ']} That makes a little difference, don't you think ? ; )
Wait -- here are the best ones: - Do your requirements specify all the stuff above?
No. Requirements specify such things: 4. Security sp4.5: The application should implement self-defensive mechanisms against invalid requests and queries sp4.6: The application should not give detailed error messages to the user, however, detailed messages should be delivered to the administration maintainer
- Do your requirements or detailed design docs specify all the validation rules?
They should, theoretically. = )
Input validation shouldn't just be left to 'best practice' or whatever individual developers want to do. It takes some real design thinking to get it right for an enterprise application.
I not really agree with this. For my own experience, input validation really is a 'best practice' stuff. It gets improved timer after time as are my regular expressions... It there was some 'empiric science' document about it, that would maybe be worth considering it as a completely design-step oriented feature.
--Jeff
Antoine -- Securité Web (swiss blog about web security) http://www.nxtg.net/securiteweb
Current thread:
- Re: SQL Injection, (continued)
- Re: SQL Injection Paul (Jun 01)
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- RE: SQL Injection The Crocodile (Jun 06)
- Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection or XML gcb33 (Jun 09)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection Michael Silk (Jun 09)
- RE: SQL Injection WebAppSecurity [Technicalinfo.net] (Jun 10)
- RE: SQL Injection stevenr (Jun 09)
- RE: SQL Injection Michael Silk (Jun 09)
- RE: SQL Injection V. Poddubniy (Jun 10)