http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/tags/sql+injection/default.aspxTags: sql injectionenCommunityServer 2008.5 SP1 (Build: 31106.3070)http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/10/04/web-application-security-101-simple-sql-injection.aspxSat, 04 Oct 2008 05:08:00 GMT94bda21f-7d63-4095-85de-7c2a68fb172c:86018RafalLos0http://www.communities.hp.com/securitysoftware/blogs/rafal/rsscomments.aspx?PostID=86018http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/10/04/web-application-security-101-simple-sql-injection.aspx#comments<p>&nbsp; Web application security is a hot topic, no doubting that these days.&nbsp; The awareness is growing and developers are starting to take notice of the security shortfalls in their code.&nbsp; Awareness of attacks like SQL injection, cross-site scripting, and CSRF (Cross-Site Request Forgery) is starting to spread and so are ways to protect against these types of attacks.</p><p>&nbsp;With this Security 101 post I&#39;d like to call attention to a particular type of attack that (after nearly 5 years of executing it successfully) is finally starting to trend towards extinction - but sadly still is all-too-common.&nbsp; Let&#39;s do this by example... </p><p>&nbsp; As you visit your favorite site one of the first thing that the server on the other end of your connection does is checks your browser.&nbsp; It does this for an obvious reason: it needs to know whether to serve you java or ActiveX/.Net -based content.&nbsp; This isn&#39;t going to go away since I don&#39;t see either Microsoft or Mozilla dropping out of the browser game, so the checking of &quot;user-agent&quot; will continue. Moving on in our example, the server pulls the &quot;user-Agent&quot; header component and has to compare it against known types of browsers.&nbsp; Now, there are a number of ways that the server can check your browser version (against an XML file, using JavaScript from within the page, or using a database call) but it is fairly likely that it will be done with a database call to the back-end database server against a table of supported browsers.&nbsp; Here&#39;s where the magic happens if you&#39;re an attacker.&nbsp; Most of the time, if the developer is making a database call to check browser version compatibility they are *not* sanitizing that parameter before passing it into the database server.&nbsp; This, of course, leads to <b>SQL Injection</b>.</p><p>&nbsp; This absolutely fundamental check can cause a site or application with *zero form inputs* to still be vulnerable to SQL Injection.&nbsp; I&#39;ve seen it first-hand, so I know it exists in &quot;the wild&quot;. Absolutely fascinating since I&#39;ve had developers ask me why they need to sanitize parameters when they have little (or no) form inputs on a site.&nbsp; My answer is always this example.</p><p>&nbsp; The moral of this story is don&#39;t get over-confident.&nbsp; Just because your site/application is &#39;basic&#39; or short of complex inputs it does not necessarily mean that you&#39;re invulnerable to attacks like SQL Injection.&nbsp; Check and sanitize <b>all</b> your parameters coming from the user-side.&nbsp; Never, ever, under any circumstances trust data coming from the client.&nbsp; This goes for *any* data, including header fields! <br /></p><div style="clear:both;"></div><img src="http://www.communities.hp.com/securitysoftware/aggbug.aspx?PostID=86018" width="1" height="1">hackingsql injectionuser-agentdata sanitizationweb application hackinginput validationweb application securityhttp://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/09/18/sql-injection-real-and-in-your-face.aspxThu, 18 Sep 2008 03:58:00 GMT94bda21f-7d63-4095-85de-7c2a68fb172c:84789RafalLos1http://www.communities.hp.com/securitysoftware/blogs/rafal/rsscomments.aspx?PostID=84789http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/09/18/sql-injection-real-and-in-your-face.aspx#comments<p>Not every company has <em>consumer data</em> contained within the web applications.</p> <p>I get that.&nbsp; Logic fails me, however, when someone tries to explain to me why because they don&#39;t have consumer data (or other critical data that can be &quot;stolen&quot; from their applications) they really don&#39;t need to pay attention to web application security issues.&nbsp; Really...</p> <p>&nbsp;This <a class="" title="InternetNews.com Article" href="http://www.internetnews.com/security/article.php/3771671/Hackers+Hit+BusinessWeek+With+Malware.htm" target="_blank">news over at InternetNews.com</a>&nbsp;story could be a rude-awakening for some of those folks.&nbsp; The point is - just because you don&#39;t have data to &quot;steal&quot; doesn&#39;t diminish the value of your web application as an attack surface.&nbsp; In fact, the most important principle (other than data) that drives hacking is volume of traffic to your site/application.&nbsp; A news organization, for example, lives off of driving traffic to the site.&nbsp; Malware distributors (adware, for example) live off of the same principle because they use those viewers as &quot;drive-by adware install victims&quot;... and thus make their money.&nbsp; Am I making sense here?</p> <p>&nbsp;&nbsp; The bottom line, Web Application Security is a serious business, and not only for those that have to be PCI compliant, or HIPPA compliant, or some other regulation-compliant... and not just for those who have consumer credit card data on their pages... no no - it&#39;s for everyone with a web presence because <strong>you</strong> are a target if you have viewers.</p><div style="clear:both;"></div><img src="http://www.communities.hp.com/securitysoftware/aggbug.aspx?PostID=84789" width="1" height="1">businessweek attacksql injection attacksql injectionadwarebusinessweek hackmalware distribution