Slashdot Log In
How Prevalent Are SQL Injection Vulnerabilities?
Posted by
kdawson
on Thu Oct 05, 2006 11:33 AM
from the more-than-you-think dept.
from the more-than-you-think dept.
Krishna Dagli writes to tell us of an investigation, by Michael Sutton, attempting to get an estimate of how widespread SQL-injection vulnerabilities are among Web sites. Sutton made clever use of the Google API to turn up candidate vulnerable sites. You might quibble with his methodology (some posters on the blog site do), but he found that around 11% of sites are potentially vulnerable to SQL injection attacks. He believes the causes for this somewhat alarming situation include development texts that teach programmers insecure SQL syntax, and point-and-click tools that allow the untrained to put up database-backed sites.
Related Stories
[+]
Developers: Malicious Injection — It's Not Just For SQL Anymore 119 comments
nywanna writes "When most people think of malicious injection, they think of SQL injection. The fact is, if you are using XML documents or an LDAP directory, you are just as vulnerable to a malicious injection as you would be using SQL. Bryan Sullivan looks at the different types of malicious code injections and examines the very basics of preventing these injections."
This discussion has been archived.
No new comments can be posted.
How Prevalent Are SQL Injection Vulnerabilities?
|
Log In/Create an Account
| Top
| 245 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
The abuse of SQL injection (Score:5, Funny)
(Last Journal: Friday October 06 2006, @08:59PM)
Just say no, kids.
Re:The abuse of SQL injection (Score:5, Insightful)
(Last Journal: Friday October 06 2006, @08:59PM)
Unfortunately: Not Surpirsing (Score:5, Insightful)
Re:Unfortunately: Not Surpirsing (Score:5, Informative)
(http://www.kibbee.ca/)
Re:Unfortunately: Not Surpirsing (Score:4, Insightful)
(http://www.hylobatidae.org/minerva/)
No. Web applications should use GET and POST where appropriate - GET for idempotent requests (showing database records, search results, those kind of recurring, non-database-changing things) while POST should be used for things which actually change data, user state, and so on.
Using GET in the wrong places [slashdot.org] can lead to all kinds of irritations and miniature security problems. Imagine sending an email to your web application administrator containing something like the following: <img src="http://example.com/webapp/user_admin?action=
Many web applications do get the two horrendously mixed up (I've seen search results done via POST, which is subtly, incredibly annoying) but they're definitely not interchangeable.
For simply displaying a non-password-protected package shipment page, GET would probably be the best solution. But blindly accepting both isn't a good alternative.
Simple solution (Score:5, Insightful)
(http://www.kibbee.ca/)
Point and click tools (Score:2)
(http://www.revis.co.uk/)
It's only a failure of the tool, or the developer of the tool, if the tool is marked as being a one step solution. Of course a lot are, there is no shortage of snake oil salesmen, and in that case they take 100% of the blame. However most rapid deployment tools contain a clear disclaimer of what it does or doesnt do and a guide to helping you with the rest of the steps.
When those things exist the fault is with the user and not with the tool - elitism aside. It's like using a hammer to kill a man (despite the do not kill people with this hammer label and 100 page guide to not killing people with hammers - now with pictures!) and blaming people killed with hammers on the hammer designer.
Some kind of software checklist (Score:5, Funny)
(http://www.realistic-dragon.co.uk/)
You would answer questions and it would give you license keys to software that you were qualified to use. For example, I might tick:
Engineer (check)
Artist ( )
Manager (check)
Linux (Check)
Mac ( )
Windows ( )
And it would issue keys for website point and click installation software, Vi, apache and Latex - but deny me keys to powerpoint thereby saving the lives of people who might otherwise have to gnaw off their own leg to survive my 8 hour presentation on optimising synergisyms in a web 3.0 environment by sub molecular interactions.
Criminalize? (Score:1, Insightful)
(http://ninenine.com/)
If I have somebody who is constantly trying to break into my house, to the extent that I have to pay a security professional just to keep them bastards out, I'd be down at the police station talking to the police chief, angry as hell. As is, people have come to accept that there's almost more crime than legitimate traffic on the Net these days. That's insane. Something has to be done about this mess before the entire Net is just useless.
testing methods (Score:4, Insightful)
(http://www.rains.net/)
?id=99999' OR '10
and see if the page returns the results of id=10 as expected. It's also common for people to use weak regexp (regexp should NEVER be used to protect against sql injection, see mysql_real_escape_string) and miss some characters:
?id=99999)
or fail to sanitize non us language encoding. Also, get variables are often the most protected. It is much more common to find sql injection in <input type=hidden variables, or in cookie data. The number 11% is extremely low. I'd guess more like 80%.
The "Oh-Sh*t" face... (Score:2, Insightful)
* Many development texts actually teach programmers insecure SQL syntax.
* Many sites are exposed to SQL injection attacks but don't know it.
I agree completely! I've seen the texts, I've seen the hordes of VB+SQL programmers that learned from said texts moving to the web porting the same "vices" to the new platform.
And I've seen the "oh-sh*t" face on a couple of developers after demonstrating to them that their software is vulnerable to SQL Injection. In both cases the vulnerabilities exposed the customers to the posibility of serious financial damage.
So far, the stupidest work arounds i've seen have been:
Developer: It's ok, I'll switch to post instead of get so the user can't forge the request.
Developer: It's ok, I'll write a method that removes sinlge quotes for every string i get from the user.
Developer: It's ok, I'll write some java script that will validate user input.
Writing secure software is never easy.
Re:The "Oh-Sh*t" face... (Score:4, Insightful)
Re:The "Oh-Sh*t" face... (Score:4, Informative)
(http://blog.jrock.us/ | Last Journal: Sunday October 10 2004, @04:11AM)
It's easy if you use good tools. PHP is not a good tool. Rather than hacks like mysql_replace_the_string_with_things_that_wont_co
Some ideas:
Perl's DBI, whose docs tell you to ALWAYS write SQL like:
$sth = $dbh->preprare('SELECT foo,bar FROM baz WHERE something=? AND another = ?')
$sth->execute(q{''Some\ things"'}, 10);
Notice that the programmer can't forget to escape the SQL -- because there's no escaping.
Even better is something like DBIx::Class, which lets you write
$resultset = $table->search({something => q{''Some\ things"'}, another => 10});
Again, no opportunity for the programmer to fuck up the SQL in any way. It's just like getting data out of the hash... DBIx::Class will generate the SQL (for any backend), run the query, stream in the results as needed, etc. It's easier and it's better!
Ruby on Rail's ActiveRecord is similar, but it's impossible to do certain types of joins. DBIx::Class is better in this regard. (And Perl is faster than Rails, and Catalyst is more complete rhan Rails
PHP makes it easy to write insecure code. Perl makes it hard! (With taint mode, a selection of ORMs, 10000+ well-tested modules, and nicities like Moose, Moose::Autobox, etc.)
Massively widespread problem (Score:4, Insightful)
(http://www.rockymusic.org/)
Turn Key solutions broken? (Score:3, Insightful)
(http://www.shezphoto.com/)
Let's say I own a house and around Christmas time I put out an inflatable snow man. Then some vandals come along and pop it. Are you going to walk up to me while I'm sulking over my snow man and say "Don't you know you have to wrap your snow man in kevlar to prevent vandalism and then put up an electified fence with constantine wire on it."? I would give you the strangest look if you did. Then I'd probably say something pertaining to the fact that the police should catch these bastards and presecute them.
So why is it with technology that no emphasis is put on catching vandals and bringing them to justice and a ton of emphasis is put on protecting your site from attack?
This is way low (Score:2)
It is extremely common to have people just cut and paste the bare-bones tutorial code they find on the web and reuse that same pattern on every page in the site rather than centralizing it in a wrapper. So not only is the string not being cleaned, but it's also a huge pain to fix.
some are untrained, but ... (Score:1)
Persistence Framework (Score:1)
DB Wrapper? (Score:1)
We have implemented a DB wrapper that "escapes" user input for things like ' that would break out of the input. I also check the length on the server side to make sure they're not trying to overflow any of the variables. By the looks of many of these posts, that isn't an "acceptable" amount of protection and that procedures are a must.. Anyone care to inform me or refer me to a good website?
You don't need to bother with SQL Injection (Score:4, Interesting)
(Last Journal: Wednesday May 03 2006, @12:27PM)
I recently came across a commercial site where you could substitute, for instance, "(select first_name from users where id=1)" into the page url and a nice error screen came up telling you that it couldn't convert "George" into an Integer.
It's not the SQL Injection per se that is the biggest problem, but the nice error messages you get back giving you, more or less, a SQL command line interface. Errors should be detected and redirected to a sanitized page, or if you can't be bothered, an unceremonious crash.
I notified the owners of that site by the way.
Better APIs (Score:2)
(http://inglorion.net/ | Last Journal: Thursday October 06 2005, @07:17AM)
Moo (Score:1, Flamebait)
(http://tkatch.com/ | Last Journal: Monday October 29, @02:09PM)
MySQL is not a database. It does not support Transactions. It doesn't use normal syntax. Why? Because it's easy. So a programmer who has better things to do than learning some arcane syntax can just get the job done and move on. Good? No!
It is because of this laziness that such attacks occur by someone who did take the time to learn the syntax. If people want a quick and dirty solution, so be it, but don't pretend to be a database and open all sorts or vulnerabilities.
The ease of SQL is made for people who take the time to learn it, and naturally code it securely. For those who don't have the time, just don't use SQL.
So, i blame MySQL (and its ilk) for this. And i can only laugh at the sites that get attacked because of their own laziness.
Only 11%? (Score:2)
(Last Journal: Monday September 25 2006, @01:19PM)
it\'s easy to fix SQL injections (Score:2)
(http://henry.simon.net.nz/)
Re:Return of the Flat File (Score:2)
(http://s87365085.onlinehome.us/ | Last Journal: Tuesday October 28 2003, @04:22PM)
Re:Sure, blame the "untrained" developers.... (Score:2)
(http://www.bytenoise.co.uk/)
If the obvious fix is to exclude special characters from password fields, then why allow them by default to begin with?
Because that won't stop a wily hacker from using a tool such as curl to use those special characters as if they'd entered them in the password field. This has to be fixed at the server end, not the client end.
Re:Sure, blame the "untrained" developers.... (Score:4, Insightful)
(http://slashdot.org/)
Re:Return of the Flat File (Score:4, Insightful)
(http://digitalimprint.com/misc/ip_vjl/)
No. That's a stupid idea. (Score:3, Insightful)
(Last Journal: Friday October 06 2006, @08:59PM)
In the old days, everyone used flat files, because that's what there was. Then someone (several someones, most notably Codd and some others at IBM) realized that breaking the flat data into sets of discrete data that related to each other reduced redundancy and allowed for an overall better quality of data. And it wasn't app specific.
The answer to SQL injection is to test apps more completely (including tests for this kind of attack), to provide extra checks at the database level (for integrity issues, perhaps in the form of constraints, etc. dependent on the scale and structure of the database), and to develop tools/libraries for data access that make this kind of thing hard to do accidently.
Re:Return of the Flat File (Score:4, Insightful)
(http://www.ringdev.com/ | Last Journal: Tuesday May 08 2007, @01:50PM)
-Rick
Re:Return of the Flat File (Score:5, Informative)
Re:Sure, blame the "untrained" developers.... (Score:3, Informative)
If the obvious fix is to exclude special characters from password fields
It's not. First of all, it wouldn't work. Second, it makes to sense at all at any level. Sorry if I seem rude.
There are a lot of new programmers (or whatever we're calling people who make websites these days), who are not naturally paranoid and sensitive to the exploitation of their code. They shouldn't need to be.
I agree, but it's a dreamworld. I shouldn't need to fiddle with keys or whatever every time I use my car or get home. But I do.
Luckily you can create pretty safe code by making nice code. It's amazing how many side-effects "nice" has. But yes, you'd need to be a good programmer to make nice code.
Re:Return of the Flat File (Score:2)
(http://2130706433/)
Re:Return of the Flat File (Score:1)
(http://www.hanshootsfirst.org/)
Re:Sure, blame the "untrained" developers.... (Score:2, Insightful)
I may sound like an elitist by saying the following, but secure programming should not be "easy" for the "masses". It should be reserved for those who know what the hell they're doing, and they should be paid accordingly. I do not believe it's wise to give the average Joe the tools to make even slightly sophisticated programs. We've seen what happens when we do this; take a look at most websites from the dotcom bubble.
Re:Sure, blame the "untrained" developers.... (Score:3, Funny)
Re:Sure, blame the "untrained" developers.... (Score:3, Insightful)
bash$ telnet example.com 80
GET
Two things to note here: (1) there's no HTML involved in the actual transaction at all (2) like another poster said: you can't trust the client to send valid data.
Stick to purposing solutions for things you know about.
Re:Sure, blame the "untrained" developers.... (Score:2)
I'm not following you. Why would a server-side exploit like SQL injection be addressed in a client-side display standard like HTML?
The 'type="password"' attribute of the HTML input element is nothing more than a style hint for the renderer -- characters typed into such an input should not echo back to the screen. Otherwise there's nothing that distinguishes it from a value taken from a text input, a checkbox, a file upload dialog or any other HTML form control. An HTTP POST is an HTTP POST.
And without knowing what the server plans to do with the data once submitted (which the client has no reason to need to know), how does one define what "special characters" are? A string that's going to be inserted into an SQL database has a different set of special chars than one that's going to be used as part of a filepath on a Windows box, which is different than one that's going to be used as part of a filepath on a Unix box, which is different than one that's just going to be compared against another string.
Business logic does not belong on the client side.
There are a lot of new programmers [...] who are not naturally paranoid and sensitive to the exploitation of their code. They shouldn't need to be.
The hell they shouldn't.
Programming consists of more than just typing out some PHP code that doesn't cause a fatal error when executed. A programmer needs to be conscious of the expected inputs and outputs of any piece of code he/she is responsible for, and aware of the ramifications when those expectations are not met.
A person who does not exercise such diligence should not be considered a programmer.
Re:Let's find out... (Score:2)
(http://zulupad.gersic.com/)
Re:Are these still around? (Score:2)
"' or 1=1 --" -- can force a login to succeed in some systems
"' or password='' --" -- works on some systems where that doesn't
For data retrieval scripts:
"' or 1=1 --" -- retrieve all data from the database, not just the record asked for; this is a useful one.
For data update scripts:
"' or 1=1 --" -- update all records in the database, not just the one that's identified
There are many other variations on these.
Yes, not allowing multiple statements mitigates the vulnerability a little. But not a lot.
Re:It's more than 11%, I'm sure of that! (Score:2)
There are good reasons for using SQL over and above an object persistence layer (which is what I believe both of these are, although I've never used either). SQL is easier to search, easier to analyze in arbitrary ways, and easier to edit by hand if something goes wrong and the system needs fixing.