From: Hubert Seiwert (hubert@westpoint.ltd.uk)
Date: Thu Jun 07 2007 - 11:33:39 EDT
To be honest I think it's a terrible idea...
As others have pointed out, it's trivial to return a different row, e.g.
select * from users where login = '' and lower(name) like '%admin%' and ''='
Nevermind stacked queries which can be used to modify tables or execute
arbitrary commands without selecting anything.
Also, you would often trigger the 'bad thing is happening' alert when using
database admin tools. Your own application would have to be careful never to
select the row, etc.
The complexity of implementing this seems greater than avoiding the problem in
the first place by using bound parameters and good input validation. It's not
that hard. This seems preferable to adding a complicated and flawed canary...
Regards,
Hubert Seiwert
Westpoint Scanning Team
Westpoint Limited
Albion Wharf, 19 Albion Street
Manchester M1 5LN
United Kingdom
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: scans@westpoint.ltd.uk
web: www.westpoint.ltd.uk
Jim Halfpenny wrote:
> Hi,
> One thing I've noticed about SQL injection is that quite often the
> injected code returns a data set and the vulnerable application plucks
> the first row from the set. Consider a simple example where a login
> form is vulnerable and the following code is generated:
>
> select * from users where login = '' or 'a' = 'a';
>
> Instead of returning one row as expected the whole table is returned
> and the application more often than not reads the first row. This hack
> is especially bad if the first user in the table has admin right,
> which is often the case.
>
> One way of potentially hobbling simple SQL injection would be to
> insert a sentinel record at the beginning of the table (hence the
> row-0 concept). This this row is ever returned the the application can
> be made aware something bad has happened.
>
> Does this sound like a good idea, or does it encourage poor coding by
> having a safety net? All comments welcome.
>
> Jim
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
-- Hubert Seiwert Internet Security Specialist, Westpoint Ltd Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom Web: www.westpoint.ltd.uk Tel: +44-161-2371028 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:52 EDT