Pete Finnigan's SQL Server Security Blog

Cookie Policy:We only use essential cookies on small sections of this website. For details see here.


SQL Server Security
Blog Archives
Oracle Security
Oracle Security Blog

Greymatter Forums

October 2007
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
28293031   

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!

Powered By Greymatter

Tuesday, October 16th

Time based blind SQL Injection


Yesterday I got an email from Chema Alonso to tell me about his recent paper "Time-Based Blind SQL Injection with Heavy Queries". This is an excellent summary paper of the technique and includes an example of how writing heavy (read, badly performing) queries and then controlling the execution of the badly performing bit to test whether a value (any value) in the database is above or below a value using a newton-raphson like technique. The idea is that is a value is TRUE or FALSE the query take either a long time to run or a short time. This means that the value can be arrived at based on the time the query takes to run. This enables SQL Injection to be used where the data is not returned to the hacker but he can control the query sent and also view the time taken for the query to respond. Nice paper.
Pete on 10.16.07 @ 10:16 AM GMT [link]


Wednesday, October 3rd

SQL Injection cheat sheet


Today I found a nice SQL Injection cheat sheet for MS SQL Server, MySQL, PostgeSQL and Oracle. The paper is quite comprehensive and covers a good spread of types of SQL injection attacks. Its also quite good that it tries to compare some of the attacks across different types of databases. If you primarily use SQL Server then take a look. The paper is called "SQL Injection Cheat Sheet".
Pete on 10.03.07 @ 10:00 AM GMT [link]


Tuesday, December 12th

SQL Injection, Are Your Web Applications Vulnerable?


SQL Injection, Are Your Web Applications Vulnerable? - by SPI Dynamics

"SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this paper is to educate the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general."
Pete on 12.12.06 @ 09:05 PM GMT [link]


Monday, June 19th

Chip Andrews SQL lock down script


Well its been some time since I have written on this SQL Server blog. I have been very busy of late but I am planning to try and keep this blog more up to date from now on. I have made a few notes of links and information I would like to blog about.

Lets start the ball rolling. I was surfing the net last week and found Chip Andrews lockdown script for SQL Server. This is on a page titled "Lockdown Script". I downloaded this script and had a look. This script is a great idea. It aims to bring a SQL Server database up to a basic level of security. This script is run and it checks and hardens by chnaging settings. The script is updated and follows an 80/20 rule to cover off the biggest lump of issues.

Whilst this is a great script i do have some concerns. There are other lockdown tools such as this available on the net for other peices of software but generally these types of scripts are not available for database software. Why is this? - in general database software is complex and suitable for many different applications and purposes. This is a great feature of database software, its generic use. Having a fixed lockdown script that hardens all databases in the same way can unfortunatly break some applications that have been written to use the weak or insecure feature.

I personally would always go with the audit/review/fix cycle rather than a straight fix first. That said this script is very useful though for anyone to make simple changes to harden their SQL Server database.
Pete on 06.19.06 @ 05:48 PM GMT [link]


Monday, October 10th

WebGoat an excellent application for testing web security


Few people have open access to full blown web based business applications that they can use to practice all manner of web based attacks. The Open Web Application Security Project has created a full J2EE web application called WebGoat that is aimed at allowing people to practice various attack vectors whilst giving on line lessons on how to perform the attacks. The tool includes examples for Cross Site Scripting, SQL Injection, blind SQL, weak session identifiers and many more. This is a great tool for those wishing to learn about web application security.
Pete on 10.10.05 @ 10:42 PM GMT [link]


David Litchfield has a good paper on SQL Injection methods


David Litchfield has a good new paper out titled "Data-Mining With SQL Injection and Inference" which talks about the methods for extracting data from a database when its not possible to get the data back through the same channel as the original query or even via a separate channel such as email. The method David discusses includes examples for SQL Injecting SQL Server and is called inference. This method shows how data presence or value in the database might be inferred by altering the known output or by causing a web server error or even by injecting a time delay in the application. This is a very interesting paper and well worth reading.
Pete on 10.10.05 @ 10:26 PM GMT [link]


Thursday, October 6th

FreeTDS an implementation of SQL Server and Sybase TDS protocol libraries


I was searching for interesting SQL Server security stuff to look for an found out that the network protocol is called TDS (Tabular Data Stream) - well actually I knew that already. I wanted to know if there are any documents available that divulge the protocol and any free libraries. If they exist then its first possible to build your own client and second possible to send arbitrary commands to the SQL Server port, i.e. it could be hacked.

There is a great site called "FreeTDS - Making the leap to SQL Server". This details the API's available for Perl and php. There is also a link to a Java implementation and of course C libraries are available. Many different flavours of the protocol are supported. There is even versions for Unix so its possible to access data from SQL Server on Unix/Linux machines and even to port SQL Server code to Unix.

There is a FAQ, a user guide and a reference manual. I have not delved deeply into this yet but it certainly looks like a promising way to create a tool that can find and interrogate SQL Server, great for writing security tools and great for security research.
Pete on 10.06.05 @ 10:06 PM GMT [link]


Saturday, October 1st

Dave Campbell Keynote at SQL PASS


I came across Don Kiely's post to his blog called "Dave Campbell Keynote at SQL PASS" which talks about David Campbells keynote at SQL PASS which talks about moving to SQL Server 2005 and one of the key things he focussed on was trusted platform and security features. Don summarises the keynote and I noted the on-stage live demo of upgrading to 2005 and Don's comment about what security state will that leave the database in was quite good. The last paragraph is the mention of security features. 2005 includes a demo of using a smart card as an encryption key which can allow per user encryption of data. I am not convinced as to how useful that would be in real applications. How segregated would the data need to be so that each user could only encrypt/decrypt their own data? Don also goes on to talk about some of the issues with smart card key storage.
Pete on 10.01.05 @ 10:30 PM GMT [link]