David M Williams
Thursday, 13 November 2008 18:42
Opinion and Analysis
Page 2 of 3
You might have a web site you've been working on. You should be testing it for security vulnerabilities like this.
Not having such an in-progress site of my own to show you, I need to harness the raw helpfulness of the ever-enthusiastic Google to find some samples.
On the one hand, this may be considered wrong of me. After all, fundamentally, this is how to circumvent security on web sites.
On the other hand, this is crucial information that web site operators and owners need to know. The fact is, web sites can be vulnerable to this sort of attack. Without any effort I found two just now through a quick Google. The operators of these web sites may in fact have had unscrupulous people circumventing their login pages for years without detection. This publication of their weakness may serve to prompt tighter security on their part.
SQL injection can be avoided in several ways. One fundamental thing to do is not blindly trust user input and pass it on. Every string typed in by a user should be scanned for instances of the single quote character at a bare minimum. Databases that support stored procedures and/or parameterised queries should have these in use rather than dynamically-generated SQL. Indeed, writing queries that way will actually increase performance as well as remove this weakness.
So, how did I find these two sites and what are they?
First, the bulk of sites which will be executing SQL queries are going to be written in some form of scripting language, like Microsoft's Active Server Pages (asp, aspx) or PHP. Secondly, chances are the page name will be of the form login.asp or login.php or some other variant.
You can find pages like these by using a Google operator which specifies the search term ought to be considered part of the address, not from the text on the page.
GovernmentSecurity.Org have published an article which gives some ideas for basic search terms.
In my case, I Google'd for a page with a name akin to that I mentioned. There were loads of results. I tested two and both were weak.
These pages from an SMS messaging gateway provider ("
Site A") and a beverage vending machine distribution group in Northern Virginia ("
Site B".)
Here's how I tested the sites were weak. Firstly, I clicked on the link from Google. This brought up a login page in both cases. I entered fred' as the username and a password of ddd and clicked Login.
Site A reported this error
Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near 'ddd'.
/Orders/OrderForm.asp, line 43
while Site B reported this error
Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark after the character string 'fred''.
/Orders/login.asp, line 20
The fact that I got an error message proves both sites were programmed without security in mind. Neither site tested that my input contained a single quote character and sent it to the database server with full trust.
Now that I know this much I can go further, and probe the limits of these sites. Firstly, could I log in without an account? The answer is
yes. Here's how.
CONTINUED
