Friday, August 25, 2006

SQL Injection Attack

Fortunately or unfortunately found a top security bug in one of our applications. It turns out to be the most famous "SQL Injection attack" bug. It has been sitting there for a while in our PHP applications.

There was one of the links which was supposedly under a login page which took URL parameters. The URL parameter could be modified to conduct the SQL Injection attack by following steps:

Step 1 Lets assume the URL is - https://noname.com/result/trick.php?PARAM1=777
Step 2 In the actual PHP code, there was inline SQL query that is getting executed to retrieve some values from the database.
Step 3 If the code is not secure enough, we can trick the code to execute other statements in the database:
https://noname.com/result/trick.php?PARAM1=777; delete from table1;--

This was the last thing I did before reporting the issue to the developer and also gaining some praise in this process.

There were other things I could do:

1) Enter the wrong parameter or SQL statement --> Database error was shown by the PHP compiler. The error also spewed out the wrong SQL statement giving information about the database tables.


I am sure there are many ways to prevent the above attacks but I have listed a few -

  • Secure your code by taking the URL parameter in single quotes while preparing the SQL statement. (where column1 = '$URLparameter'). The PHP compiler will escape any bad input entered in the URL with a single quote (').
  • Change the PHP settings to hide database errors
  • Encrypt your URL parameters (use any algorithm)
  • Best way of prevention is to use Stored Procedures instead of inline SQL.
Posted by at No comments:

Tuesday, August 22, 2006

.NET Framework CLR Running Mode

The Common Language Runtime can be loaded in two different modes

  • Server Mode
  • Work-station mode (default)
If you have a server (multi-processor machine) and the application is not loading the CLR in the Server mode, you might want to change the settings for better performance. Basically, it improves the Garbage collection mechanism (Concurrent GC).

ASP.NET applications automatically start the CLR in the Server mode but if you have other applications like .NET Remoting (??), you might have to force the CLR to start-up in the server mode.

It can be specified in the Application Configuration file:

<configuration>
 <runtime>
  <gcserver enabled="true">
 </runtime>
</configuration>



Reference: Steven Pratschner

I am still trying to find the performance benefits by specifying the start-up mode.
Posted by at No comments:

Kick-off

My answers to how things work .... tic toc tic toc
Posted by at 1 comment:
Subscribe to: Comments (Atom)