| « Salmiak Attack | Patterns of Failure » |
“When a ‘customer’ of ours needs custom-developed software to suit their business requirements,” Kelly Adams writes, “they can either ‘buy’ the development services from the IT department, or go to an outside vendor. In the latter case, then we’re supposed to approve that the software meets corporate security guidelines.”
“Most of the time, our ‘approval’ is treated as a recommendation, and we end up having to install the application anyway. But recently, they actually listened to us and told the vendor to fix the ‘blatant SQL-injection vulnerabilities’ that we discovered. A few weeks later, when it came time for our second review, we noticed the following as their ‘fix’.”
internal static string FQ(string WhichField)
{
string expression = "";
int num2 = Strings.Len(WhichField);
for (int i = 1; i <= num2; i++)
{
string str = Strings.Mid(WhichField, i, 1);
if (str == "'")
{
str = str + "'";
}
expression = expression + str;
}
return Strings.Trim(
Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
expression,
"xp_", "", 1, -1, CompareMethod.Text),
"sp_", "", 1, -1, CompareMethod.Text),
"--", "-", 1, -1, CompareMethod.Binary),
"alter table", "", 1, -1, CompareMethod.Text),
"drop table", "", 1, -1, CompareMethod.Text),
"create table", "", 1, -1, CompareMethod.Text),
"create database", "", 1, -1, CompareMethod.Text),
"alter table", "", 1, -1, CompareMethod.Text),
"alter column", "", 1, -1, CompareMethod.Text),
"drop column", "", 1, -1, CompareMethod.Text),
"drop database", "", 1, -1, CompareMethod.Text),
"1=1", "", 1, -1, CompareMethod.Text),
"union select", "", 1, -1, CompareMethod.Text),
"/*", "", 1, -1, CompareMethod.Text),
"*/", "", 1, -1, CompareMethod.Text),
"boot.ini", "", 1, -1, CompareMethod.Text),
"../", "", 1, -1, CompareMethod.Text),
"%27", "", 1, -1, CompareMethod.Text),
";dir", "", 1, -1, CompareMethod.Text),
"|dir", "", 1, -1, CompareMethod.Text),
"<script", "", 1, -1, CompareMethod.Text),
"</script>", "", 1, -1, CompareMethod.Text),
"language=javascript", "", 1, -1, CompareMethod.Text),
"language=\"javascript\"", "", 1, -1, CompareMethod.Text));
}
Kelly adds, “of course this time, when we told them the application was still vulnerable so long that a hacker typed ‘1 = 1’ instead of ‘1=1’, they told us were beeing too picky, and had us install the application anyway.”
Please don't do that. Then when you have to send a plain-text email or export a CSV or let the user-re-edit the content or any of a number of other things you' end up with, for instance, """ peppered all over your text. Much better to escape the HTML after you retrieve it from the DB and before you output it to the page (although, granted, that means you have to trust your developers to do so.) |
| « Salmiak Attack | Patterns of Failure » |
DeepThought: