RE: ISA Server and SQL Injection

["Sebastien Deleersnyder" <sdl () ascure com>]

> -----Original Message-----
> From: Matthieu Estrade [mailto:mestrade () apache org] 
> Sent: donderdag 17 februari 2005 14:58
> To: webappsec () securityfocus com
> Subject: Re: ISA Server and SQL Injection
>
>
> Yes sure, if you code application using in parameter some SQL query,
you should read "howto do secure code for 
> webapp"....
> Application mainly use value after used by the application inside a
query, but the query is in the code.
> http://www.toto.com/test.php?product_id=4 is ok and there is NO WAY to
see here some SQL Syntax.
>
Be aware that the above parameter can directly be used to build up the
SQL query such as
SQLParam= "SELECT * FROM products WHERE productid = " &
getParam("ProductId")
This poses a danger when the 4 is replaced by "4 and 1=1" => gives back
all the rows of the product table.
You can imagine disaster scenario's with e.g. patient health data that
is displayed.
Also this will allow an attacker to provoke errors and from the
errormessages deduct the table(s) structure, etc ...

One of the best ways to prevent SQL injection is to build parameterized
queries that will limit the variable data types used!

> http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20product%20W
HERE
> %20id=4 is not ok, and you shoud fire developper doing this....
>
> Using parameters values doing directly actions is "HACKER FRIENDLY!"

This is indeed not a good idea! But instead of firing, the developper
should get educated.
--- infosecurity.be ---
Bezoek ons tijdens Infosecurity.be 2005 op 23 of 24 maart in Brussels Kart Expo. 
Registreer vooraf en ontvang uw gratis toegangskaart via: 
http://www.databadge.net/isbe2005/reg/?link=4dd995bba9ac221908f3

Voor meer info: 
http://www.ascure.com/default.asp?type=Eventsdetail&id={4D6980F0-651A-419A-93AF-E9EB42F74651}&lang={00000000-0000-0000-0001-000000000001}