Post reply

SQL Injection

  • September 3, 2008 at 12:05 pm

    #123178

    What is the best way to check to see if your web app or database is vulnerable to a SQL injection attack? Do I try and pass a sql command in the input box of the web app?

    :unsure:

  • September 3, 2008 at 12:27 pm

    #866716

    Thats a tough one to look at. It can come in from text box, It can be in teh URL Strings. So there are way too many ways an SQL injection can happen.

    The things you have to make sure is that the User connected to the web site does not have permission to even select a table directly. Make sure all DB calls are done through Stored Procs.

    I know that there are definetly lots of people here who like to use Dynamic SQL. For me, Thats a bit too risky.

    -Roy

  • September 3, 2008 at 12:36 pm

    #866730

    You can, but you'll have to check every single input box and every query string. It's probably better to look at the code of the app and see how it's doing the calls to SQL.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • September 3, 2008 at 3:41 pm

    #866838

    If the "sysobjects" and "syscolumns" is queryable from the account your asp application runs as, then you are volnerable 100%. Revoke access to those objects and allow only sysadmins to them. If an application was written to use it, then break the application by blocking the objects and tell the developers to fix their code. There's a reason why "sys" in the object names. It's for use by "Public".

    See the CAST() value of a strain below...

    DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+'' ''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply