Application Security // Database Security
00:32 AM
Connect Directly

The Root Of All Database Security Evils = Input

Input validation and prepared SQL statements crucial to preventing SQL injection attacks

Some of the most embarrassing database breaches of the past few years boil down to one big root cause: poor input validation and sanitization imposed by developers who create Web applications that tap into these data stores. In the rush to get code compiled and out the door, developers create input fields that allow users to type in anything they want. That's fine for most users who just need to type in their usernames, a search term, or an address and phone number. But when the bad guys get their hooks into these unchecked input fields, they're one step closer to hacking the database.

"User input is the root of all evil," says Trevor Hawthorn, CTO for security consultancy Stratum Security. "Ultimately, user input in some way, shape, or form makes its way to the database, and so where that could spell trouble is if a user submits input to a Web application that is then interpreted by the database as database commands rather than what it is -- user input."

[Hackers fixate on SQL injections--CSOs, not so much. See The SQL Injection Disconnection.]

According to Hawthorn, SQL injection is the "800-pound gorilla" when it comes to input-related problems.

As Bill Karwin, principal consultant for Percona, explains, this most-widespread security risk on the Internet is essentially a coding gaffe where the developer "interpolates untested content into SQL queries," giving malicious users the tools to type SQL queries into input fields to directly interact with the database without the application ever acting as a filter.

"Developers should make sure their code never executes user input as code," Karwin warns.

Here's why: With that kind of power in the hands of a knowledgeable attacker or even an unknowledgeable one using an automated SQL injection attack tool like Havij, any outside user can input commands that will allow them to retrieve data from the database or add content to a database. This opens up the possibility not only of theft, but also adding malware into a database that powers a website so that it is serving up malicious content to users, or even adding content to something like a story on a news website, Hawthorn says.

For example, one client that his company serviced ran into a situation where a public policy organization had messaging on its site that was diametrically opposed to its policy positions.

"They were essentially lobbying against themselves, and nobody noticed it for quite a while," he says. "That was a case where it was a SQL injection vulnerability that allowed someone to make just a couple of crucial changes."

Experts agree that a big reason why so many SQL injection vulnerabilities remain out there in the wild is because developers only assume their users will type inputs with good intentions.

"From a security professional's perspective, a good programmer will sanitize all data sent to the server, aggressively fuzz their input fields, and constantly patch their components," says Dylan Evans, vice president of operations for Reveal Digital Forensics and Security. "However, from the programmer's perspective, these concerns may not reach a high priority. The vast majority of Web programmers are familiar with SQL injection -- and its sibling, cross-site scripting -- on a conceptual level. However, understanding why something is dangerous and actively preparing for that danger are two different issues."

Part of that preparation is to not only test and plan for typical use cases, but also those atypical abuse cases. It's the only way that organizations will be able to effectively stamp out SQLi attacks like the one that hit Adobe this week, experts say.

"If you filter user inputs to only respond to known queries, you are golden, but too many Web applications trust the unknown user's input," says Mark Goudie, managing principal for the RISK Team at Verizon Enterprise Solutions. "Bad people do bad things with user input and [then] they can access all of your database."

First and foremost, Hawthorn says, developers need to be aware of how data comes into their application.

"Understand where your inputs are, how people could abuse them, and what would happen if things were to go seriously wrong," he says, explaining that one of the biggest best practices developers should strive to implement is whitelisting input as much as possible.

"Whitelist the types of content you are expecting for a given input," he says.

So, for example, a phone number input box shouldn't accept letters or apostrophes. Hawthorn says he understands that, in many cases, this may not always be feasible, particularly as more sites are built with social features that allow for greater freeform user input functionality. In these cases, developers should seek to use prepared SQL statements so that user input is never entered into the database as code.

"So if I enter my username as ' or 1=1, what the application should do is reach back into the database and say, 'Do I have a user name ' or 1=1 ?' So what it should do is look in the database for literally the characters that were put in," he says. "That's a good way to solve most of your input validation-based database challenges."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/21/2012 | 12:15:45 AM
re: The Root Of All Database Security Evils = Input
It's sad that years after the SQL and
Blind SQL Injection attacks were crated, so many web applciations are
still vulnerable.


Matthew Cohen

Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.