I have question regarding abap function module SAVE_TEXT. I assume that it is possible to create custom tdobject and tdid, then the longtextes are to be stored in the tables STXH, STXL. How secure is the SAVE_TEXT against SQL injection attacks? Is it not vulnerable because of encoding the textes in RAW format?
Your first assumption was either lost in translation or wrong in the first place - the valid values of TDOBJECT and TDID are maintained manually using the transaction SE75, usually by the application developer. They are not created as part of the everyday application processing.
As far as the database access is concerned, there are two security levels to protect against SQL injection, although one was not designed to be a security level:
The contents of the text are stored in an internal form that is serialized as a byte string. Whatever SQL commands might have been present in the original text do not make it through this conversion.
The DML commands are passed through the usual database interface layer that uses prepared statements with a fixed set of variables that are supplied with values only when executing the statements. As far as I can see, no dynamic SQL statements are used to modify STX* texts.
For normal business applications, this should be safe enough. If you want to run a nuclear power plant, well - we would have to talk.
Related
I have an application in which I'd like to accept a user supplied SQL query from a front-end query builder (http://querybuilder.js.org/). That query eventually needs to make it's way to running in a postgres database to return a subset of data.
The query builder linked above can export SQL or a mongo query. I imagine using the mongo query is relatively safe, since I can add to it simply on the server:
query.owner_of_document = userId
to limit results (to documents owned by the user).
Whereas the SQL statement could potentially be hijacked in an injection attack if someone attempts to store a malicious string of SQL for execution.
Is directly accepting SQL from a client bad practice? How can I ensure the supplied SQL is safe?
Thanks!
Why do you need to accept an entire SQL statement?
Can you accept only parameters and then run a pre defined query?
There are loads of questions/answers on SO relating to SQL injection and using parameters is a first step in avoiding injection attacks, such as "Are Parameters really enough to prevent Sql injections?"
But I think this answer to a different question sums things up well:
Don't try to do security yourself. Use whatever trusted, industry
standard library there is available for what you're trying to do,
rather than trying to do it yourself. Whatever assumptions you make
about security, might be incorrect. As secure as your own approach may
look ... there's a risk you're overlooking something and do you
really want to take that chance when it comes to security?
Im designing a UWP app that uses an SQLite database to store its information. From previous research I have blearnt that using the SQLite function SQLiteConnection.Update() and SQLiteConnetion.Insert() functions are safe to use as the inputs are sanitised before entering in the database.
The next step I need to do is sync that data with an online database - in this case SQL Server - using a service layer as my go between. Given that the data was previously sanitised by the SQLite database insert, do I still need to parameterise the object values using the service layer before they are passed to my SQL Server database?
The simple assumption says yes because, despite them being sanitised by the SQLite input, they are technically still raw strings that could have an effect on the main database if not parameterised when sending them there.
Should I just simply employ the idea of "If in doubt, parameterise" ?
I would say that you should always use SQL parameters. There are a few reasons why you should do so:
Security.
Performance. If you use parameters the reuse of execution plans could increase. For details see this article.
Reliability. It is always easier to make a mistake if you build SQL commands by concatenating strings.
I'm trying to narrow down the results returned from a server generated SSRS report, but the customer is requesting too many fields to do be able to do it easily with parameters into a predefined SQL statement.
Is it possible to pass a statement into the reporting server from .NET that the server will execute as its datasource, instead of the preconfigured one? Either the complete statement or the WHERE clause would be fine.
If not, is it possible to eval a parameter sent into a stored procedure? I'm aware of the security implications.
Architecturally speaking, if the customer is requesting reports with infeasible amounts of parameters they might want to consider creating an Analysis Services model instead and using Excel or another tool to slice and dice the data to their hearts content.
I can't speak to the .NET option, but you can definitely use a stored procedure in a report data set, but I'm not sure how that would help you as it would still require parameters to be passed to it.
We decided to route a parameter into a stored procedure, which executes a sql query using the parameter. The other parameters use the Prompt as a friendlyname and the Name as the column name, and the program constructs a where clause from this information and passes it into the query parameter of the report. It's not a perfect solution, but we've closed all holes for injection we could and it works. Sometimes you've got to be happy with that.
Perhaps it may sound strange but I was told that SQL injection attacks
can be classified as:
passive and active
Passive SQLi:
it is related to SQL statement such:
SELECT,UNION,GROUP BY,LOAD,HAVING EXECUTE, BEGIN, DECLARE...etc
Active SQLi:
it is supposed to be more dangerous since it involves modifying the DBMS through statements like: UPDATE,DELETE,INSERT ..etc so
I haven't yet found anything about it in terms of white papers, study material and so on.
OWASP defines passive and active sql injections here
SQL Injection is classified in the following two categories, depending
on the exposure of database information (passive) or the alteration of
database information (active).
Both are problematic, and if you have one you probably have the other. The problem with active is fairly obvious (someone is updating/creating/deleting your data in ways you didn't plan). Passive is just as dangerous though for you and your users though. Imagine if they get a list of usernames and passwords. These could be used to login legitamently to your website, or to other websites as most users reuse passwords on multiple sites.
SQL injection is simply adding undesired text to your queries.
You can group it as you wish, but it doesn't really matter, the simple thing is, your query doesn't do what you want or does not only what you want.
I've never heard of sql injection attacks being broken down into categories. As gdoron so eloquently put it, it doesn't matter.
However, looking at how you broke it down it almost makes sense. I'd change that classification slightly to be:
Passive:
Attack involving overriding the expected input in such a way as to bypass normal security controls. For example, let's say you have a page with a query string such as:
/accounts/edit.php?id=50
In this case, manually changing the id to 1 or 10 could potentially pull up a record the user does not have access to. Provided that the edit page doesn't perform additional checks to ensure the user has access.
Active:
Attack whereby sql statements are passed into input fields in order to cause the application to execute the new statement.
For example, putting ' or (1=1);drop table users;' into a login field. Some applications simply concatenate sql with unsanitized user input. This could allow an attacker to bypass security controls or even send DDL statements to the database server.
I wouldn't say that SQL injection involving DELETE is necessarily "worse" than SQL injection involving SELECT. It's true one can modify data and the other doesn't.
But a lot of scary SQL injection is perpetrated solely to read data that is supposed to be restricted, e.g. stealing credit card numbers.
Usually the terminology around SQL injection has to do with the methods of attack, such as "blind SQL injection," "union-based SQL injection," etc.
If you want to read a mighty book that covers the subject very well, try SQL Injection Attacks and Defense by Justin Clarke et. al.
Because SQL Injection is a technique used to ATTACK a website, wether it is passive or active is of inconsequence as many of the others members have said already.
No the TERMS you use in the first paragraph are PASSIVE is incorrect,
Execute is not passive, its active... its Executing (something or other)
And even a passive term such as SELECT when used with DropTable can cause you to lose data too!
So you would still insist on calling it passive?
When its ACTIVELY dropping a table?
A good source of further information is wikipedia.
http://en.wikipedia.org/wiki/SQL_injection
I was wondering if it is possible to have my asp code set flags for my sql database? Although if you have a better suggestion for what to do to avoid a sql injection through the address bar I will take that too.
Basic steps to prevent sql injection attacks are:
Parametrize your queries; that is, do things like:
insert into tables (column, colum2, column) values (?,?,?)
And have your code pass parameters to the query.
Use stored procedures if you can, and fit well your situation (with one caveat - 3rd point below).
If you use stored procs, don't use dynamic SQL inside them or that will expose you again to sql injection attacks. What I mean by that is to avoid concatenating strings inside the stored proc in order to construct your statements.
Validate user input (both, client and server side - never trust javascript validation)
I think following those 4 points will make your application immune to sql injection attacks.
I recommend you also read the article posted by jdavies below. It gives some additional useful information.
Take a look at the following Microsoft article, which discusses exactly what you require, in depth and for different data access strategies.
How To: Protect From SQL Injection in ASP.NET