What Does /**/or/**/ Mean? - security

We've logged get requests where someone tried to add /**/or/**/ to the query string.
What does it mean, where can it do damage and what should I look out for in my code?
Edit
Specifically /**/or/**/1=##version)-- - what would that be targeting?

It's almost certainly an attempt at a SQL Injection Attack or something very similar. It's easiest to think (and read) about this kind of vulnerability in terms of SQL, even if it's a slightly different attack vector in your case.
The idea is that if you've got SQL of this kind:
"SELECT User from USERS where UserName =" + user + " AND PASSWORD = " + password
then inserting values like the one you've seen directly into the SQL can cause the query to mean something entirely different (and typically laxer) than you expect. Normally SQL injection attacks contain single quotes though, to terminate text values within SQL. Are you sure the attacks you've seen don't have single quotes?
If you use parameterized SQL throughout your application (and no dynamic SQL within your database), and never try to use incoming user-specified values as "code" of any kind, you should be okay.
I suspect in your case it may not be SQL that the attacker expects to use to penetrate your security; it may well be Javascript. The idea is the same though: if you use any user input as "code" in some form, e.g. by building a string mixing that with predefined code, then execute that code, you're leaving yourself vulnerable to attack. Always treat code as code (under your control) and data as data.

Related

SQL Injection assistance required

I am trying to understand the below injection and what it is trying to do. What is it trying to get? The only portion I understand is the union and select part, but the full injection I am unsure of and need help understanding.
action=&aid=1&_FILES%5Btype%5D%5Btmp_name%5D=%5C%27%20or%20mid=#%60%5C%27%60%20/!50000union//!50000select/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+%60%23#__admin%60%20limit+0,1),5,6,7,8,9%23#%60%5C%27%60+&_FILES%5Btype%5D%5Bname%5D=1.jpg&_FILES%5Btype%5D%5Btype%5D=application/octet-stream&_FILES%5Btype%5D%5Bsize%5D=4294
Well, first we can url decode the string:
action=
&aid=1
&_FILES[type][tmp_name]=\' or mid=#`\'`/!50000union//!50000select/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from `##__admin` limit 0,1),5,6,7,8,9##`\'`
&_FILES[type][name]=1.jpg
&_FILES[type][type]=application/octet-stream
&_FILES[type][size]=4294
One of these parameters sticks out as pretty suspicious.
[tmp_name]=\' OR mid=#`\'`
/!50000union/
/!50000select/1,2,3,
(select CONCAT(0x7c,userid,0x7c,pwd)
from `##__admin`
limit 0,1)
,5,6,7,8,9##`\'`
In plain english, it's injecting a select query to get usernames and passwords in a format like 0x7c<user>0x7c<password> from the ##__admin table (which, according to #DCoder is likely a placeholder for the actual table where these values would be kept) and appending it to your original select.
The !50000 stuff is for bypassing your web application firewall (if you have one). If you don't, then it may just be a bot or automated attempt. Or someone following a script to see what works. The numbers aren't really useful - it may be for evading a firewall or just for debugging purposes for the attacker to see how the output looks. It's hard to tell without being able to run it.
Here's what the SQL the attacker is trying to run would look like in 'plain SQL':
select
userid,
pwd
from
`##__admin`
Do you have a table like this? When you go to this url for your site, does it dump the user table? If not, then you may not even have a problem and it is just an automated scan. You may still have issues with SQL injection, even if it doesn't work, but having this in your logs is not evidence of a breach... it's definitely a red flag though.
It's adding extra columns to the result recordset, with user/pwd information. So in essence, the user wants to collect user accounts he or she wants to abuse.
It have to be noted that SQL injection (if any) is made possible by another vulnerability.
It is clear that this application is depending (or at least it is believed by the malicious user) on the some sort of homebrewed implementation of register_globals. A worst implementation ever.
To make this code work, the application have to take GET variables, and blindly convert them in global variables, making $_FILE array to appear not from internal process but from mere GET request.

How to sanitize data coming out of a database

This is my first question on stack overflow and I have taken a lot of time to search for the similar question but surprisingly could not find one.
So I read that no data should be trusted, whether from a client or that which is coming out of a database. Now while there are lots of examples that show how to sanitize data from a user ($_POST or $_GET), I could not find one that shows how the data from a database should be sanitized.
Now maybe it's the same as the data coming from a user / client (that's what I think it should be) but I found no example of it. So I am asking it just to make sure.
So for example if the result of a query yields as follows:-
$row=mysqli_fetch_assoc($result);
$pw = $row['Password'];
$id = $row['ID'];
$user = $row['Username'];
then do the variables $pw, $id and $user have to be sanitized before they should be used in the program? If so, then how ?
Thanks to all.
Your thinking is back to front here. By the time you are able to sanitise inputs using php, it's probably too late. The data is already in php. You don't sanitise inputs. You:
validate input & sanitise output
Normally a database is wrapped by the application tier. So the only data in there should have been filtered and escaped by your code. You should be able to trust it. But even then, in a relational database the data is fairly strongly typed. Hence there is little scope for attacking php from the data tier.
But you should be sanitising (escaping or encoding) any output. How you do that depends on where and how you are sending the data, hence it should be done at the point where it leaves php, not the point where it enters php. And the method you use (mysqli_escape, HTMLentities, base64, urlencode.....) Should be appropriate to where the data is going. Indeed it is better practice to change the representation of a copy of the data (and discard it after use) rather than the original.
It depends... How are you accessing this database? Who works on / maintains it? Going in is definitely a far bigger concern. However, if you wanted to sanitize it coming out of a database you need to know what you are sanitizing for. If you want to sanitize web traffic against XSS you'd probably want to remove all url's not on a whitelist, perhaps script tags and a few other things as well. Are you sanitizing data going into a C/C++ program? Then you probably want to make sure you're protecting yourself against buffer overflow issues as this is a legitimate avenue of attack.
I'm drawing some assumptions about your design here but I'm going to assume you're just working on the model aspect of an MVC application using PHP. PHP, in this case, has been most vulnerable to SQL Injection attacks on the backend, and XSS (cross site scripting) attacks on the front end. (NOTE: This isn't a PHP problem exclusively, this is a problem in all programming and different languages provide different solutions to different problems. Remember - you need to know what you're sanitizing for what reason. There is no one size fits all.
So really, unless you are sanitizing against something universal in all the code this model will sanitize for, you probably don't want to sanitize here. XSS would be a bigger concern to you now than sql injection... the way out is too late to stop an injection attack.
To take some liberty just to get the juices flowing - From a security standpoint, given your code seems to revolve around authentication, I would be much more immediately concerned around how you are storing and processing your credentialing data. A few things should definitely be doing:
Running the password through a secure, 1-way hash BEFORE storage (such as BCrypt).
Salting these hashes (with a different salt for EACH user) before storing them in the database to protect your user's data from things such as rainbow table attacks.
Using TLS for all communications.
Establishing and maintaining a secure session (track user-login without exposing password data with every single request sent, amongst other things).

SQL Injection or Server.HTMLEncode or both? Classic ASP

People say to prevent SQL Injection, you can do one of the following (amongst other things):
Prepare statements (parameterized)
Stored procedures
Escaping user input
I have done item 1, preparing my statements, but I'm now wondering if I should escape all user input as well. Is this a waste of time seeming as I have prepared statements or will this double my chances of prevention?
It's usually a waste of time to escape your input on top of using parametrized statements. If you are using a database "driver" from the database vendor and you are only using parametrized
statements without doing things like SQL String concatenation or trying to parametrize the actual SQL syntax, instead of just providing variable values, then you are already as safe as you can be.
To sum it up, your best option is to trust the database vendor to know how to escape values inside their own SQL implementation instead of trying to roll your own encoder, which for a lot of DBs out there can be a lot more work then you think.
If on top of this you want additional protection you can try using a SQL Monitoring Solution. There are a few available that can spot out-of-the-ordinary SQL queries and block/flag them, or just try to learn your default app behavior and block everything else. Obviously your mileage may vary with these based on your setup and use-cases.
Certainly the first step to prevent SQL Injection attacks is to always use parameterised queries, never concatenate client supplied text into a SQL string. The use of stored procedures is irrelevant once you have taken the step to parameterise.
However there is a secondary source of SQL injection where SQL code itself (usually in an SP) will have to compose some SQL which is then EXEC'd. Hence its still possible to be vunerable to injection even though your ASP code is always using parameterised queries. If you can be certain that none of your SQL does that and will never do that then you are fairly safe from SQL Injection. Depending on what you are doing and what version to SQL Server you are using there are occasions where SQL compositing SQL is unavoidable.
With the above in mind a robust approach may require that your code examines incoming string data for patterns of SQL. This can be fairly intense work because attackers can get quite sophisticated in avoiding SQL pattern detection. Even if you feel the SQL you are using is not vunerable it useful to be able to detect such attempts even if they fail. Being able to pick that up and record additional information about the HTTP requests carrying the attempt is good.
Escaping is the most robust approach, in that case though all the code that uses the data in you database must understand the escaping mechanim and be able to unescape the data to make use of it. Imagine a Server-side report generating tool for example, would need to unescape database fields before including them in reports.
Server.HTMLEncode prevents a different form of Injection. Without it an attacker could inject HTML (include javascript) into the output of your site. For example, imagine a shop front application that allowed customers to review products for other customers to read. A malicious "customer" could inject some HTML that might allow them to gather information about other real customers who read their "review" of a popular product.
Hence always use Server.HTMLEncode on all string data retrieved from a database.
Back in the day when I had to do classic ASP, I used both methods 2 and 3. I liked the performance of stored procs better and it helps to prevent SQL injection. I also used a standard set of includes to filter(escape) user input. To be truly safe, don't use classic ASP, but if you have to, I would do all three.
First, on the injections in general:
Both latter 2 has nothing to do with injection actually.
And the former doesn't cover all the possible issues.
Prepared statements are okay until you have to deal with identifiers.
Stored provedures are vulnerable to injections as well. It is not an option at all.
"escaping" "user input" is most funny of them all.
First, I suppose, "escaping" is intended for the strings only, not whatever "user input". Escaping all other types is quite useless and will protect nothing.
Next, speaking of strings, you have to escape them all, not only coming from the user input.
Finally - no, you don't have to use whatever escaping if you are using prepared statements
Now to your question.
As you may notice, HTMLEncode doesn't contain a word "SQL" in it. One may persume then, that Server.HTMLEncode has absolutely nothing to do with SQL injections.
It is more like another attack prevention, called XSS. Here it seems a more appropriate action and indeed should be used on the untrusted user input.
So, you may use Server.HTMLEncode along with prepared statements. But just remember that it's completely different attacks prevention.
You may also consider to use HTMLEncode before actual HTML output, not at the time of storing data.

Restrict semicolon to prevent SQL injection?

I've seen that SQL injection strings are often constructed like this:
' ; DROP DATABASE db --
Therefore, if I disallow the use of semicolons in my application's inputs, does this 100% prevent any SQL injection attack?
Use parameterized queries (or stored procedures) and avoid dynamic SQL like the plague.
I suggest using built in library functions instead of trying to write your own anti-injection code.
A naive implementation will strip out ; even if it should be used (say as part of a passed in VARCHAR or CHAR parameter, where it is legal). You will end up having to write your own SQL parser in order to accept/reject queries.
You can read here more about dynamic SQL and the problems it presents (and solves).
No it does not prevent sql injection attacks. Any time you're dynamically constructing SQL either in the client side, or with the EXEC inside a stored proc, you are at risk.
Parameterized queries are the preferred way to get your input into query.
No, it doesn’t. You just showed one example of an SQL injection. But there are far more, all depending on the context you insert the data into.
Besided that, it’s not the semicolon that causes this issue but the ' that ends the string declaration prematurely. Encode your input data properly to prevent SQL injection.
It MAY stop from injecting a secondary DDL statement like your drop since they'll likely create a syntax error within a select, but it won't stop statements like this:
Return more data than intended
' or 1=1
Delete with output
' or 1 in (select * from (delete someOtherTable OUTPUT DELETED.* ) a)
Injection attacks revolve around ANY manipulation of the intended SQL statement, not just termination of that statement and injecting a second statement.
Injection Attacks Come from Un-sanitized User Input
It's important, however, to not conflate a SQL injection attack entirely with dynamic/inline sql. SQL injection attacks come from UN-SANITIZED USER INPUT used in dynamic sql. You can "build" a query with no problem as long as the components of that query all come from sources that you trust. For example we use schemas to hold custom structures...
$"select * from {customSchemaName}.EmployeeExtension where id=#id and clientid=#clientId"
The above is still a parameterized query from an input point of view, but the schema name is an internal system lookup that no interface has access to.
I make the case for inline/dynamic sql here:
https://dba.stackexchange.com/a/239571/9798
The best way to avoid SQL injection is to avoid string concatenation of user supplied data. This is best accomplished by either using stored procedures or using parameterized queries.
No, don't focus on semicolons. Focus on the way you put user input in the sql query - usually in quotes - and then focus on the quotes. Also don't forget when you work with regexp in sql that they need slightly different escaping procedure.
it will depend on a variety of things (which queries, etc). you should use prepared statements for this

Non-programmatic prevention of SQL injection

I agree that correct input validation is the only 'fool-proof' way to prevent SQL Injection, however it requires modifying a lot of code in existing applications, possibly might require a badly designed application to be re-structured.
There has been a lot of academic interest in automated mechanisms to prevent SQL Injection (won't go on listing them here, I've done a literature survey and seen at least 20), but I haven't seen anything that's actually been implemented.
Does anyone know of any framework that's actually in use outside an academic environment, either Signature-Based, Anomaly-Based, or otherwise?
Edit: I'm looking for something that does not modify the code-base.
The company i work for uses Barracuda Web Application Firewall for what you are talking about. From what I have seen it works fairly well. Basically if it detects suspect input it will redirect the user to a page of our choosing. This allows you to place a layer between the internet and your applications and does not require you to change any of your code.
That said, it's a bad idea to not secure your applications.
If you aren't going to modify your code then you can only intercept requests. Since there is no such thing as a good or bad SQL command you're pretty limited in options but you could try rejecting multiple queries which initiate from a single string. In other words:
LEGAL
SELECT * FROM foo WHERE bar='baz';
ILLEGAL
SELECT * FROM foo WHERE bar=''; DELETE * FROM foo; SELECT 'baz';
Since pretty much every injection attack requires multiple queries in a single request and provided your application doesn't require this feature you may just get away with this. It probably won't catch every type of attack (there's probably a lot of damage you could do using subquerys and functions) but it's probably better than nothing at all.
The default behavior with PreparedStatements in Java where you pass in each parameter makes it mostly foolproof because the framework escapes the input for you. This doesn't prevent you from doing something like
exec spDoStuff <var>
where spDoStuff does:
exec( <var> )
But if you use normal queries it's very effective. I don't know whether you'd consider it non-programmatic but the developer doesn't have to write the code to manage input validation themselves.
Like this:
int id;
String desc;
Connection conn = dataSource.getConnection();
PreparedStatement ps = conn.prepareStatement("SELECT * FROM table1 t1 WHERE t1.id = ? AND t2.description = ?");
// or conn.prepareStatement("EXEC spMyProcedure ?, ?");
ps.setInt(1, id);
ps.setString(2, desc);
ResultSet rs = ps.executeQuery();
...
rs.close();
ps.close();
conn.close();
The only way to leave the code untouched while patching vulnerabilities like SQL Injection is to use a web application firewall like the open source project mod_security. Recently Oracle has released a database firewall which filters nasty queries. This approach is better at solving the problem of SQL Injection, but that all it can address.
WAF's are very useful and free, if you don't believe it put it to the test.
A WAF is just one layer. You should also test the application* under it. This is a defense in depth approach.
*This is a service I sell with a limited free offer.

Resources