DOCX

Quick Security Reference - SQL Injection

By Sam Spencer,2014-12-24 15:14
7 views 0
Quick Security Reference

    Quick Security Reference: SQL Injection

Updated November 5, 2010

    http://www.microsoft.com/sdl. For the latest information, please see

    This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

    This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

     2010 Microsoft Corporation. All rights reserved. ?

    Licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

    Quick Security Reference: SQL Injection

Table of Contents

    OVERVIEW ................................................................................................................................. 3 WHAT ARE PERSONAS ............................................................................................................ 3 Business Decision Maker ........................................................................................................................ 4 Architect .................................................................................................................................................. 4 Developer ................................................................................................................................................ 4 Tester/QA ................................................................................................................................................ 4 UNDERSTANDING SQL INJECTION FOR THE BUSINESS DECISION MAKER ....................... 4 Risk ......................................................................................................................................................... 4 Business Impact ...................................................................................................................................... 5 Fixing the Code ....................................................................................................................................... 6 Resources and Training for Business Decision Makers .......................................................................... 7 UNDERSTANDING SQL INJECTION FOR THE ARCHITECT/PM .............................................. 7 Identifying the Problem ........................................................................................................................... 7 Common SQL Injection Attacks .............................................................................................................. 7 Designing a Fix ....................................................................................................................................... 7 Tools for Designing Software That Prevents SQL Injection Vulnerabilities ............................................. 9 Resources and Training for Architects/PMs ............................................................................................ 9 UNDERSTANDING SQL INJECTION ATTACKS FOR THE DEVELOPER ................................. 9 Example of SQL Injection 9 Example of a SQL Injection by Truncation Attack 10 Writing Secure Code ............................................................................................................................. 12 Constrain Input 12 Use Parameterized SQL Queries 13 Use Proper Escaping Techniques to Handle Special Input Characters 14 Calculate Buffer Lengths Properly 15 Additional Considerations ..................................................................................................................... 16 Use a Least-Privileged Database Account 16 Avoid Disclosing Detailed Error Information 16 Tools and Libraries 17

    Quick Security Reference: SQL Injection 1

    Resources and Training for Developers ................................................................................................ 17 UNDERSTANDING SQL INJECTION VULNERABILITIES FOR THE TESTER/QA .................. 17 Map Out the Site and Its Functionality 17 Start Testing and Pay Attention to the Output 18 Techniques for Finding Various Types of SQL Injection Vulnerabilities ................................................ 18 Code Reviews 18 Building Improvements into Black Box Testing 19 Tools You Can Use ............................................................................................................................... 19 Resources and Training for Testers ...................................................................................................... 19 THE MICROSOFT SDL AND PREVENTING SQL INJECTION ATTACKS ................................ 20 Long-Term Solutions ............................................................................................................................. 20 CONCLUSION .......................................................................................................................... 21 ACKNOWLEDGMENTS ............................................................................................................ 21

    Quick Security Reference: SQL Injection 2

OVERVIEW

    SQL injection attacks have become one of the most common and dangerous Web application security issues on the Internet. SQL injection vulnerabilities occur when an application takes user content data and

    uses it to construct SQL (Structured Query Language) statements without first properly validating or sanitizing that content. SQL injection attacks take advantage of SQL injection vulnerabilities to steal

    sensitive data from the database, modify or destroy the stolen data, execute administrative commands on the database, or in some cases take control of the whole machine. In recent years, SQL injection attacks have been used to store malware in databases and then distribute them through Web sites that are hosted on these compromised databases.

    SQL injection attacks can occur using a variety of techniques. The diagram below describes a simple attack to drop a SQL database table from a Web page that accepts user input from a text box.

Figure 1. Example of a basic SQL injection attack

    This Quick Security Reference (QSR) paper can be used by each member of your engineering organization to gain a more thorough understanding of how to address SQL injection attacks. By better understanding these vulnerabilities, you can more easily and efficiently deal with existing issues and implement ongoing solutions that better protect your software, Web sites, and users.

    WHAT ARE PERSONAS

    Every person from the business decision maker, to the architect, to the developer, and tester/quality assurance (QA) must play a role in addressing this issue. However, each person must approach the problem from a different perspective to ensure that you have a clear plan for fixing the SQL injection issue, successfully verifying your solution, and mitigating the problem in the future.

    Quick Security Reference: SQL Injection 3

This paper uses four basic personas in an engineering organizationbusiness decision maker, architect,

    developer, and tester/QA. The goal of this paper is to address the key questions that each persona might ask regarding a SQL injection attack and to provide direction for each persona on how to address the issue. The personas are defined in the following paragraphs.

    Business Decision Maker