Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [WEB SECURITY] Re: SQL In the Request

from [bryan allott] Network Security [Permanent Link]
Subject: Re: [WEB SECURITY] Re: SQL In the Request
Date: Fri, 6 Oct 2006 08:25:15 +0200
source control integration and analyzing is definitely an interesting angle- and like most things implemented properly could be quite effective.
the particular issue which started this thread off..
[the SWF constructs the SQL and then posts the SQL as part of the request to the server in plain text]..
the entire application was architected to function like that intentionally- not just a case of a developer slipping in questionable code.
... so, we managed to track down the lead architect for that particular application and gave him a friendly call and pointed out if he was indeed
aware of the design he's chosen and it's consequences... his response:
the user only has SELECT access on the database anyways so it's not really a threat.
:o -a quick demo would shatter that myth but i don't think they're actually interested... {sigh}
so agreed, the layered approach to babysitting is needed.. but it's also not just the traditional developers, as in this case.
there's also this gap with flash designers who know some actionscript and have a good commercial idea which looks very cool but... yikes!
they come from a completely diff background and their "language/tools/compilers" don't fit the mould of "sourcecode" per se.
they too need to be roped into awareness and accommodated...

----- Original Message ----- From: <bugtraq@cgisecurity.net>
To: "Will Jefferies" <wjefferies@fncinc.com>
Cc: "Nish Bhalla" <nish@securitycompass.com>; "Erez Metula" <erezmetula@2bsecure.co.il>; "Ory Segal" <osegal@watchfire.com>; "bryan allott" <homegrown@bryanallott.net>; <webappsec@securityfocus.com>; <websecurity@webappsec.org>
Sent: Thursday, October 05, 2006 10:00 PM
Subject: Re: [WEB SECURITY] Re: SQL In the Request


The longer I'm in this industry the more I'm thinking that educating developers is like trying to
stop the flow of illegal drugs. Sure you'll bust a few people, but a new crop is always around the corner.
I am thinking that we need to continue educating people however have a layered approach to 'babysitting' them.


Better Frameworks/Libraries/API's
Providing easy to use API's that make 'screwing up' more difficult I think is something that we need to continue
working on. Yes you always risk those being dependant on something or not fully understanding it but this is always
going to happen to newbie's. Good developers like to understand what's going on and this is something you learn with experience.
Unfortunately until people are educated and have this experience they make the same mistakes over and over again.
Babysitting the majority from opening up risk and providing the more experienced alternatives is something I think that we
need to strive for. I think .NET is a good start in this direction however doesn't address other languages.
CERT recently released the Managed String library (http://www.cert.org/secure-coding/managedstring.html)
which is a good start for C however I think the industry as a whole really needs to start focusing on creating and enforcing
the usage of 'security helper' libraries.

?Source Control?
We all know that source code analyzers need some work but can iron out the common stuff. The problem is
that if you don't use them you aren't going to find any issues unless you have an extensive code
review process. Simply put this isn't commonplace and is rather expensive. Enforcing coding practices
on the source control provider and preventing/alerting to the checking in of 'suspect' code is something I feel requires more open
discussion. Back to my statement above if a newbie developer checks in bad code they aren't going to know its bad, and may not
have someone reviewing it and identifying the problem until it is to late. Preventing the usage of certain libraries
in conjunction hybrid source code analyzer I think is something we really need to start investigating/talking about.
I'm not saying we'd block the code, obviously we'd need something configurable to monitor and inform a project manager/architect
and this wouldn't be a magic bullet to all development styles, but would catch some low hanging fruit.

My $3.50
Comments/Flames welcome.

- Robert
http://www.cgisecurity.com/ Application Security news
http://www.cgisecurity.com/index.rss [RSS Feed]



I see this occasionally.  It normally comes from an
amateur-trying-to-be-a-professional.  Indeed, developer education is
needed badly.

-----Original Message-----
From: Nish Bhalla [mailto:nish@securitycompass.com]=20
Sent: Thursday, October 05, 2006 12:26 PM
To: 'Erez Metula'; 'Ory Segal'; 'bryan allott';
webappsec@securityfocus.com; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Re: SQL In the Request

Well funny thing is that I have seen a couple of seminar sites titled
"Security for Developers" and one other Computer Security Conferences
website that are vulnerable to the exact same SQL Injection
vulnerability. I
am surprized how people hold conferences on security and don't even do
basic
security checks.

Nish.

=20
-----Original Message-----
From: Erez Metula [mailto:erezmetula@2bsecure.co.il]=20
Sent: Thursday, October 05, 2006 1:01 PM
To: Ory Segal; bryan allott; webappsec@securityfocus.com;
websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Re: SQL In the Request

Just to add another dumb example from real life, I did an application
assessment a couple of months ago that had a page like this:

http://AppName/QueryDB.jsp?sql=3Dsql_query

it can't be worse than that..

________________________________


Erez Metula, CISSP   =20
Application Security Department Manager
Security Software Engineer
E-Mail:  erezmetula@2bsecure.co.il      Mobile:  972-54-2108830
Office: 972-39007530    =20
=20

-----Original Message-----
From: Ory Segal [mailto:osegal@watchfire.com]
Sent: Thursday, October 05, 2006 6:38 PM
To: bryan allott; webappsec@securityfocus.com; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Re: SQL In the Request

Hi,

I actually saw this kind of blasphemy several years ago -- an
application
that builds a SQL query using client-side JavaScript. The complete SQL
query
was then passed as a hidden parameter to the web application...

Go figure...

-Ory Segal
http://www.watchfire.com
 =20


-----Original Message-----
From: bryan allott [mailto:homegrown@bryanallott.net]
Sent: Thursday, October 05, 2006 5:35 PM
To: webappsec@securityfocus.com; websecurity@webappsec.org
Subject: [WEB SECURITY] Re: SQL In the Request


Just when i thought i had seen it all... -i come across a site which
passes in the following as part of the REQUEST..
yes, the SWF builds a request and sends it through to a php server... in
plain text.

POST /flashsql.php?id=3D106 HTTP/1.1

=3D QUERYSTRING =3D=3D=3D=3D
 id=3D106

=3D BODY =3D=3D=3D=3D
host=3D<HOSTNAME>
sql_=3DSELECT DISTINCT(movies.id), movies.name, filename FROM movies LEFT
JOIN groups_movies ON (movies.id =3D groups_movies.movie_id) LEFT JOIN
groups ON (groups.id =3D groups_movies.group_id) LEFT JOIN files_groups ON
(groups.id =3D files_groups.group_id) LEFT JOIN files ON (files.id =3D
files_groups.file_id) WHERE movies.id IN(155,150,52,149,134,133,76) AND
files.file_type_id=3D9 ORDER BY movies.id
dat=3Dsk_cms

is there anyway that this can be "acceptable" ?=20





------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



------------------------------------------------------------------------
----
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Confidentiality Notice: This message is for the sole use of the intended re=
cipient(s).
It may contain confidential or proprietary information and may be subject t=
o the
attorney-client privilege or other confidentiality protections. If this mes=
sage was
misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries =
waive any
confidentiality, privilege, or trade secrets. If you are not a designated r=
ecipient,
you may not review, print, copy, retransmit, disseminate, or otherwise use =
this message.=20
If you have received this message in error, please notify the sender by rep=
ly e-mail=20
and delete this message.

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------





-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] HITBSecConf2006 CTF Source code and daemons, Praburaajan
Next by Date:  Re: [WEB SECURITY] Re: SQL In the Request, bryan allott
Previous by Thread:  Re: [WEB SECURITY] Re: SQL In the Request, bugtraq
Next by Thread:  RE: [WEB SECURITY] Re: SQL In the Request, Jeff Robertson
Indexes:  [Date] [Thread] [Top] [All Lists]