We take id Software's classic on the road, literally, to see how it stacks up on the Nintendo Switch.
DOOM. Nintendo Switch. Review.
An in-depth behind-the-scenes look at the game. And bass fishing.
How Ubisoft Bottled Beauty and Batshit Crazy for Far Cry 5
Join us on a chronological journey as we go through some of the highlights from three decades of Creative Assembly, the studio responsible for the brilliant Total War.
Celebrating 30 Years of Creative Assembly
Recently we had the chance to sit down with the head of Microsoft’s indie game service ID@Xbox, Chris Charla, to discuss all things Xbox, indie, and the future of the platform.
Talking Indies and Xbox One X with ID@Xbox Director Chris Charla
Demonstrating Web Security
Red
Sydney, New South Wales
416 posts
Interesting blog post about web security and SQL injection stuff.

Something happened the other day that made me really step back and say to myself ..."Whoa..." I was in auto-pilot, I was standing in front of a group of people - some [most] of whom couldn't care less about their company's web site security - and talking about security vulnerabilities and why they can lead to serious financial consequences. More importantly, I was trying to convince these folks, arms folded and all, that these "vulnerabilities" actually existed in real web sites. One of the gentlemen in the crowd commented - I'm just not convinced we have developers that write such terrible code, and even if they did - I don't see how all this complex attack stuff would even get them anything.

Again, since I have done this a million and one times before - I attempted to give an intelligent answer, at the right technical level and without providing the "FUD" I'm sure he's heard before. I was thinking in the back of my mind that this was one of those people that would need to witness a breach and then begin to panic.

It's often the case that the best teacher is experience - and I wish for nothing more than my doubting Thomases to ask me to show them these issues on their sites ... without even asking this crowd obliged. A fellow in the back of the room just yelled "Well, if these issues are so prevalent, let's see if they exist on one of our sites". I left auto-pilot and went into cautious attack mode.


Read here...
11:22am 04/03/10 Permalink
system
Internet
--
11:22am 04/03/10 Permalink
tequila
Brisbane, Queensland
6151 posts
cool, but I'm not at all surprised
sql injection is super common
11:45am 04/03/10 Permalink
Thundercracker
Brisbane, Queensland
2337 posts
After writing a relatively big website recently, it's interesting to read stuff like this happening out in the wild.

All of our SQL passes through as parameters into stored procs, using C#, so it's resistant to injection attacks. Plus we have fairly aggressive validation on a lot of our user input to prevent unexpected values. On top of this, our web servers don't talk directly to our SQL servers, instead talking through a middle tier.

Other stuff like mitigating cross site scripting and whatnot is pretty interesting.
11:59am 04/03/10 Permalink
Pinky
Melbourne, Victoria
4746 posts
Hehe, that's funny.

Yeah I do a lot of web forms that get inserted into MySQL so I'm paranoid about injection attacks. I sanitise every field. It's f*****g annoying to have to do but that's life. It annoys customers too, because sometimes I get a bit carried away and disallow a '/' for example in an address field or something like that, and then the customer does something stupid like living in a unit. Hehe.
12:02pm 04/03/10 Permalink
tequila
Brisbane, Queensland
6153 posts
mysql_escape_string ^
12:28pm 04/03/10 Permalink
mooby
Brisbane, Queensland
5352 posts
*and* its an asp page. .net has way better cross script and sql injection prevention at the box.
12:30pm 04/03/10 Permalink
mooby
Brisbane, Queensland
5353 posts
' or 1 =1 only works if you use inline sql (and not stored procs).
12:34pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5338 posts
Probably a legacy app, I didn't think classic asp was used for real apps anymore, isn't it dead now?

Yeah I do a lot of web forms that get inserted into MySQL so I'm paranoid about injection attacks. I sanitise every field. It's f*****g annoying to have to do but that's life. It annoys customers too, because sometimes I get a bit carried away and disallow a '/' for example in an address field or something like that, and then the customer does something stupid like living in a unit.
That sounds awful.

Thankfully I don't need to worry about s*** like that. Like thunder we build n-Tier tech by default so the only validation I need to worry about is business logic rather than defending against malicious input.
12:36pm 04/03/10 Permalink
Spook
Brisbane, Queensland
28209 posts
12:55pm 04/03/10 Permalink
Dazhel
Gold Coast, Queensland
954 posts
All of our SQL passes through as parameters into stored procs, using C#, so it's resistant to injection attacks.


Are you sure? I've still seen SQL injection bugs in this same scenario.
01:09pm 04/03/10 Permalink
pARODY
Brisbane, Queensland
555 posts
I see people daily say they stuff is not vulnerable to SQL injection. I can't educate them as their own development teams all agree it's not vulnerable. I'm not allowed to prove them wrong. :(
01:12pm 04/03/10 Permalink
Thundercracker
Brisbane, Queensland
2338 posts
All of our SQL passes through as parameters into stored procs, using C#, so it's resistant to injection attacks.
Are you sure? I've still seen SQL injection bugs in this same scenario.


http://msdn.microsoft.com/en-us/library/ms998271.aspx

I'm pretty sure.

But if you do have examples, I'm all ears.
01:56pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5339 posts
I see people daily say they stuff is not vulnerable to SQL injection. I can't educate them as their own development teams all agree it's not vulnerable. I'm not allowed to prove them wrong. :(

I'll pay you a hundred bucks if you can find an injection hole in one of our web forms and f*** with the database. Will provide details of the DB schema for the test surface and the rough system topology that you'll need to navigate.

This is a serious offer, PM me please if you seriously think you can break anything.
02:36pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11350 posts
yeh..... I'm not big at all on either of these two schools of thought:

- if I can't think of a way to exploit this, or you can't tell me a way, then it's not going to happen

- if microsoft tell me it's safe, it's probably pretty safe
02:37pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5340 posts
yeh..... I'm not big at all on either of these two schools of thought:

- if I can't think of a way to exploit this, or you can't tell me a way, then it's not going to happen

- if microsoft tell me it's safe, it's probably pretty safe
Well, its not really like that, is it :)

Its more:

  • We can't think of a way to explot what we're doing.

  • The platform vendor says what we are doing is best practice.

  • We keep up to date with best practice, invite and reward challenge to the system's security (see above).

To me that satisfies due diligence and I can sleep at night.
02:46pm 04/03/10 Permalink
TicMan
Melbourne, Victoria
5669 posts
Using C# with stored procs for DB access should present a fairly solid foundation for being SQL injection proof. Not that it couldn't happen but it would need to be an exploit in some other layer of the application rather than putting some SQL escapes and single quotes in a submit box*.


* IMO - we still program for best practices and ensure the code is well tested before deployment.
02:50pm 04/03/10 Permalink
Dazhel
Gold Coast, Queensland
955 posts
because sometimes I get a bit carried away and disallow a '/' for example


Disallowing specific characters in free form text fields isn't the core of the problem, it's the separation between code and data. It's rare that you'd have the luxury of disallowing all characters that could cause some potential problem.

I'm pretty sure. But if you do have examples, I'm all ears.


If you're passing a text field into a stored procedure and someone decides to make a performance improvement and change the static sql definition of the stored procedure to execute some dynamic sql with the EXEC() function it can still open up SQL injection problems. The web site code may have implicitly been relying on the stored procedure to sanitise the input.
02:51pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11351 posts
I don't see how what you said, negated what I said
the sleeping at night bit, sure - but you being able to sleep doesn't really mean that much in the context of this imo
02:52pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5341 posts
I don't see how what you said, negated what I said
the sleeping at night bit, sure - but you being able to sleep doesn't really mean that much in the context of this imo

I'm all ears Jim - what are we doing wrong with our security approach, or what should we do better or also do?

Instead of 'you're doing it wrong' can we get something constructive?
02:53pm 04/03/10 Permalink
thermite
Brisbane, Queensland
4271 posts
Someone once said to me that there is no such thing as true security, you can only make it harder and add more obstacles. You can't truly 'lock' a door, because someone can sneak in behind you when you are walking through the door yourself.

The guy that told me that was a massive d******* though.
02:54pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11353 posts
I didn't say you're doing it wrong - it's you who's doing that. Refer to pinky's post, and your response, which is where this started
03:00pm 04/03/10 Permalink
Thundercracker
Brisbane, Queensland
2339 posts
If you're passing a text field into a stored procedure and someone decides to make a performance improvement and change the static sql definition of the stored procedure to execute some dynamic sql with the EXEC() function it can still open up SQL injection problems. The web site code may have implicitly been relying on the stored procedure to sanitise the input.


True, that could certainly introduce a hole right there.

There is a contractor here who writes SQL statements that would be vulnerable to this. In fact I examined one of his stored procedures where he built up the SQL into a string and then executed it.

We all think he's a retard.

edit: I agree that there are valid uses of the exec() function mind you, however I have written a few systems and the one time I used it I eventually re-wrote the stored proc not to use it
03:03pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5342 posts
I didn't say you're doing it wrong - it's you who's doing that. Refer to pinky's post, and your response, which is where this started

Well I still have no idea what you are "not big on" and you won't elaborate so umm, I guess I'm done with you now?
03:04pm 04/03/10 Permalink
pARODY
Brisbane, Queensland
557 posts
We can't think of a way to exploit what we're doing.


That's the unfortunate part of most security assessments. You can find hundreds of worthy pages on how to develop your apps to be as resistant as possible to SQL injection, but new techniques are found and exploited every day.

I've seen top companies do vulnerability assessments and penetration tests but they only deviate a few commands from the basics provided by Nessus or Metasploit and since they find nothing returns an exploitable issue they assume it's safe. Then one day some kid in brazil uses the same query from Nessus with a ;";";" trail on it and it breaks the procedures structure and allows injection. Every case is different with web apps as no person does things the same. No RFC dictating how to build a website.
03:11pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5343 posts
That's the unfortunate part of most security assessments. You can find hundreds of worthy pages on how to develop your apps to be as resistant as possible to SQL injection, but new techniques are found and exploited every day.

I fully agree with that btw.

But aside from keeping up to date with best practices (and keeping environment software up to date) I'm not sure what else a developer is supposed to be doing about it :)
03:17pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11354 posts
?
I typed it there in black and white

here it is again:

- pinky mentions he is paranoid about user input and demonstrates a desire to sanitise it
- you come along and say you don't need to worry about that cos something else does it for you
- someone else posts an msdn article in response to the suggestion that passing params to stored procs doesn't mean you are invulnerable
- I say I'm not big on a) assuming that because I or you can't think of a way to exploit it, it is safe b) trusting microsoft that it's safe

what are you looking for elaboration on?
03:18pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5344 posts
what are you looking for elaboration on?

- I say I'm not big on a) assuming that because I or you can't think of a way to exploit it, it is safe b) trusting microsoft that it's safe

What you propose that a developer can do about this - aside from adherence to best practice and keeping up to date.
03:21pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11355 posts
But aside from keeping up to date with best practices (and keeping environment software up to date) I'm not sure what else a developer is supposed to be doing about it :)
keeping aware basically - not trusting to a vendor or some other black box or configuration to be secure

and certainly not even mildly dissing the efforts of someone who appears to be making a conscious effort to be aware of what's going on with user input
03:22pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5345 posts
and certainly not even mildly dissing the efforts of someone who appears to be making a conscious effort to be aware of what's going on with user input

Where's the 'diss' exactly, Jim?
03:24pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11356 posts
lol ok

That sounds awful.

Thankfully I don't need to worry about s*** like that. Like thunder we build n-Tier tech by default so the only validation I need to worry about is business logic rather than defending against malicious input.
03:28pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5346 posts
That's not a diss ... that's empathy with a fellow developer (the awful is in response to the 'pain in the arse' bit not the work being done by Pinky) and an expression of relief that I don't have to defend every web form field from SQL injection. No offense or even slight rebuke was intended at all.

Obviously we don't rely on Microsoft's word that we're secure from injection and try to find holes whenever we can. I just offered someone a hundred bucks to do just that.

Next?
03:32pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11358 posts
Well now you're aware that it could be read that way, even if you didn't mean it to be


Obviously we don't rely on Microsoft's word that we're secure. I just offered someone a hundred bucks to find a hole.
Would someone qualified to do this even get out of bed for $100? Where else have you made that offer?
03:40pm 04/03/10 Permalink
Thundercracker
Brisbane, Queensland
2340 posts
We get full pen tests done on our sites. Before we wrote our latest one, we looked at a pen test done on another ASP.NET site running in the business, and took some pointers from that report. Was very helpful and insightful.

No doubt how hoggy writes his software, and how we write our software, is done in such a way as to mitigate SQL injection attacks in the data layer or middle layer, so we don't have to reams of UI code to clean stuff sent down. Much easier this way. Doesn't mean you are immune and doesn't mean s*** coding practice will undo all that hard work.

Interesting story, the site that had the pen test allowed people to enter in negative values into a credit card deposit form. Guess what that did :D

edit: spelling
03:42pm 04/03/10 Permalink
Hogfather
Cairns, Queensland
5347 posts
Obviously we don't rely on Microsoft's word that we're secure. I just offered someone a hundred bucks to find a hole.
Would someone qualified to do this even get out of bed for $100? Where else have you made that offer?

Heh ... yeh OK mate, so after all that you don't actually have a real criticism that we can improve our processes on, you're just being a d***. I can live with that, its QGL.

But I have work to do and this isn't productive. I was actually genuinely hopeful that you had some security pointers as you guys are much bigger than us and you have some .Net projects in the Mammoth website's portfolio.
03:49pm 04/03/10 Permalink
Jim
Brisbane, Queensland
11359 posts
yeh I think you're getting wound up for nothing
take a breath and read the thread through again or something - I dunno why you're having this reaction to my post

you're certainly missing my point if you think this is about me coming along and telling you you're doing it wrong cos we're bigger than you or something. my whole point is, I think it's a mistake to assume "we're good" cos we follow a guide from microsoft, or consider whatever we're passing our user input to (whether it be something we wrote or a configuration we put in place or not), to make us invulnerable


I realise the $100 thing is kind of off topic, I was allowing myself to get sidetracked there. don't see what's d***ish about it though
03:58pm 04/03/10 Permalink
TicMan
Melbourne, Victoria
5671 posts
Jims given me $100 to do some penetration testing before.
04:09pm 04/03/10 Permalink
Dazhel
Gold Coast, Queensland
956 posts
Would someone qualified to do this even get out of bed for $100?

Jims given me $100 to do some penetration testing before.


So I'm guessing the answer to Jim's question is: No they wouldn't get out of bed for $100
04:13pm 04/03/10 Permalink
pARODY
Brisbane, Queensland
560 posts

Jims given me $100 to do some penetration testing before.

So I'm guessing the answer to Jim's question is: No they wouldn't get out of bed for $100


But you'd get into bed for $100? You sick puppy! ;)
04:17pm 04/03/10 Permalink
whoop
Brisbane, Queensland
15622 posts
some [most] of whom couldn't care less about their company's web site security

I don't see why many employees outside of the people who actually write and maintain the site would care how (in)secure their website is because it's not their job to fix it and they probably wouldn't even know how to fix it.
06:58pm 04/03/10 Permalink
mooby
Brisbane, Queensland
5354 posts
Dam, got in here late. I just wrote an app for Uni of tassy, that controls kids internet use. Im sure im gonna get attacked from all sides. And rolling it out to QUT soon too.
08:46pm 04/03/10 Permalink
pARODY
Brisbane, Queensland
561 posts
Mooby, what level of control does it offer? Firewall style ACL or userland application control? Always curious about these systems and how they're designed.
09:10pm 04/03/10 Permalink
Strange Rash
1181 posts
db user only has execute permission to stored procs

problem solved
08:46am 05/03/10 Permalink
Habib
Brisbane, Queensland
232 posts
If you're passing a text field into a stored procedure and someone decides to make a performance improvement and change the static sql definition of the stored procedure to execute some dynamic sql with the EXEC() function it can still open up SQL injection problems.


Dynamic SQL would (normally) kill perf. of course, since the DBMS can't precompile the execution plan any more.

Incidentally, I saw a neat trick in Oracle once where by using funky NLS_ session settings, you could 'trick' procedures which do dynamic SQL into executing arbitrary SQL even if they don't take any inputs. So basically if you owned the application user session via SQL injection you could use that to escalate privs via the proc you had exec perms on - here's the paper.
12:42am 06/03/10 Permalink
Fizzer
Brisbane, Queensland
719 posts
Does anyone remember the clusterf*** that was magic_quotes in php? I think thats an example of what can happen when you just blindly trust a system to do the "hard" work for you.

I'm not saying you should never use libraries to make your life easier. But blindly trusting something to just work without really understanding it is never good and the point I think Jim was trying to make.

And no hoggy you delicate petal I'm not saying that's what you're doing.
09:09am 06/03/10 Permalink
Nathan
Canberra, Australian Capital Territory
3364 posts
Dynamic SQL would (normally) kill perf. of course, since the DBMS can't precompile the execution plan any more.


This is a myth
12:31pm 06/03/10 Permalink
Dazhel
Gold Coast, Queensland
979 posts
This is a myth


Agreed. In SQL Server at least, my understanding is that the execution plan is kept. However depending on how many different dynamic statements are generated it can keep each plan for the similar queries in the cache (though that's not always a bad thing). It depends on how dynamic the generation of the original query needs to be.
01:23pm 06/03/10 Permalink
system
Internet
--
01:23pm 06/03/10 Permalink
AusGamers Forums
Show: per page
1
This thread is archived and cannot be replied to.