Geek Answers Handbook

SQL Injection Detection

I came to a company that already has a fully grown project ... but the coders that worked here in front of me did not comply with the conventions and did not use parameterized SQL queries ... as a result of this, more than 1000 places in a very huge project that can be vulnerable to SQL injection ...

I need to find a solution that will automatically determine if there is SQL injection in the code. So, for example, there is a form that allows the user to enter comments on the product that will be sent to the database on sending ... how can we make sure that the user did not enter a malicious request instead of plain text?

Is there any extended code / regex / magic that can determine if this text contains a piece of SQL query instead of plain harmless text? I will accept any links, snippets of code in any language, or even commercial software that will do this for me.

thanks

+6
sql-injection validation
source share
5 answers

There is no silver bullet. SQL injections can appear in many hidden forms and try to detect them using regular expressions or another form in your firewall, or the application can protect you from the simplest forms of SQL injection, but an experienced hacker will just go through. As AdaTheDev already noted, automated tools that check your code, such as an MS code analysis tool, can give you a hit, but again there is no silver bullet. You will need to go through your entire application.

When this is a big job, you have to make a plan. First of all, make a guide that outlines how you can reduce these types of attacks. Also try splitting your application in parts, from very critical to less critical. In this way, you can better estimate the cost of repairing errors and let the administration decide what it can cost and therefore what risk they are willing to take. The most important are parts of your application that unauthenticated users can access. If everyone (in the world) can create an account in their application, all the functionality that these users can access is extremely critical. The smaller the population and the more you trust these users, the less risk. You may be able to fix these details later. But never underestimate a good hacker. He / she can jeopardize a user account with high privileges and start testing SQL injection capabilities using this account.

Always try to have a defense strategy in depth, to have several (or many) levels of protection. For example, never contact your database as an SA from your application. Create an account with only the necessary privileges, and perhaps even create multiple SQL accounts, one account for each role (or for a group of roles). Although limiting database privileges helps mitigate the risk, again, don't rely on it as one level of protection. This article , for example, explains how a hacker can abuse an account with lower privileges when it can do SQL injection.

It's great that you ask this question here because in the past I saw a lot of developers who just do not want to know, which is very scary, because the business often trusts its developers (which is also scary).

Wish you luck.

+7
source share

To really do it right, you just need to split the application and go through it one module / page / class / independently.

This will not only allow you to fix the problem, but also be much better acquainted with the code base as a whole.

UPDATE
Based on the comment, I wanted to add one more thing:

The only thing the tool can do is say, take a look, here are some unanimated inputs ... Which, most likely, will be for about every request in your application. This means that you will have a list of about 3,000 or so files that need to be fixed.

At this point, the only thing you can do is set a day, such as Friday, like Fix Sql Day. Divide the work, and then ask everyone to spend the day (or even a couple of hours), rewriting requests for several pages.

At some point, you will either finish or discover enough other things to determine if the beginning is a better idea.

+4
source share

You can give an MS code analysis tool , which (quote):

CAT.NET is a binary code analysis tool that helps identify common variants of some prevailing vulnerabilities that could lead to a common attack by vectors such as crossite scripting (XSS), SQL Injection, and XPath Injection.

Never used it myself, but maybe worth a try.

+3
source share

I welcome your willingness to plunge and fix things, and not just shrug your shoulders and say: "Eh .. no one will attack our site in any case."

I think that perhaps the best approach would be to misinform the materials, assuming that they are innocent in all directions. The problem is that there may be legitimate reasons for someone to enter any of the characters that could cause SQL Injection.

Just an attempt to detect such patterns will be subject to false positive "attack" results; Perhaps someone is trying to find john car without knowing at all that a single quote may be "bad." And maybe they really need to look for it. Or what do you have ...

0
source share

You need to check where the variables are passed to SQL strings. For string values, you must replace each instance of the same quote with a double quote. For non-string values ​​(those that will be passed SQL without quotes), you must make sure that they are strongly typed.

eg. don't skip something like "SELECT * FROM Users WHERE UserID = " + my_string_user_id . Instead, use the code "SELECT * FROM Users WHERE UserID = " + userId_as_int .

This worked the day I had a similar code base with no parameterized queries at all.

0
source share

More articles:


All Articles