Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

9/12/2012
10:46 PM
50%
50%

10 Ways Developers Put Databases At Risk

Some of the most important database protection methods start with developers who tap into sensitive data stores

Many of today's Web applications rely on enterprises' most sensitive data stores to keep order systems running, partner companies collaborating, and internal users in touch with important business information no matter where they are.

[ Learn more about best practices for protecting your databases. See Strategies For Protecting Web-Facing Databases . ]

While such easy access to business-critical data has greatly improved worker productivity and loosened the pocketbooks of customers, it has also opened up that data to considerable risk. Unfortunately, much of the risk is introduced by developers who lack the resources to code these applications without vulnerabilities that open databases to compromise -- be it time, money, education, or support from executives.

When these factors aren't in place, developers frequently make these mistakes:

1. Trusting Input Way Too Much
One of the top ways developers put databases at risk today is by leaving their applications open to SQL injection. And those SQLi vulnerabilities usually crop up when the developer puts too much trust in user input.

"Without validating that, say, a phone number field only accepts digits, a developer may be allowing hackers something analogous to terminal access to the database," says Konstantinos Karagiannis, principal consultant for BT Global Services' Ethical Hacking division. "For example, a single quote inserted in a form field may prematurely close a valid SQL query the application was supposed to make, allowing the attacker to build and submit a new query."

One of the top ways of addressing this problem is by parameterizing queries.

"Parameterized queries prevent attackers from changing the logic or code at the heart of the query and negate most SQL injection attacks," says Jacob West, CTO of Fortify Products at HP Enterprise Security. "Parameterized queries have been around almost as long as databases and, unlike many areas of security, using them is a best practice for performance and code maintainability as well."

But developers shouldn't stop there. Input should be sanitized and validated because sometimes parameterization is not a possibility. Even when it is, unvalidated input can be used for other nefarious purposes, such as cross-site scripting attacks.

"The oldest and worst sin is not sanitizing inputs, which is stripping out any characters not needed from the user input, like removing apostrophes or semicolons, before running a query against the database," says David Habusha, product vice president for GreenSQL.

2. Displaying Database Error Messages To End Users
When developers allow very specific error messages to pop up when something goes wrong with an application's SQL query, it may help with diagnostics, but it is also offering hackers a nice little window into the inner workings of the back-end database.

"This makes attackers' jobs easier by revealing important information about how the database is structured and how the application queries it," says Bill Karwin, principal consultant for Percona.

Error messages can give away clues as to the type of database an application is tapping into, the query structure and the underlying schema, Habusha says.

"This exploit opens the door for a blind SQL injection attack," he says. "Developers should display a generic error page instead."

3. Playing Fast And Loose With Passwords
For the sake of expediency, many developers play fast and loose with user passwords in a number of insecure ways. For example, they may hard-code passwords into the application.

"One of the most egregious database risks are hard-coded passwords and passwords in configuration files," says Tim Erlin, director of IT security risk and strategy for nCircle. "Both of these design choices rely on security through obscurity; they assume the attacker won't have access to this information, and therefore development doesn't have to concern themselves with the security of the files or the information in them."

Similarly dangerous is the practice of storing passwords in plain text.

"A very simple but all too common mistake is storing passwords in plain text, which involves not hashing the user inputted password, and not salting hashes, which entails adding random bits to the hash," says Daniel Jacobowitz, security research engineer for BeyondTrust.

Whichever flavor of poor password management, failing to build strong authentication into applications with a direct line into the database is akin to leaving the door to the bank vault wide open.

4. Making Every Connection SUPER
In the same vein, many developers put databases at risk by routing all connections from the application to the database through a "root" or some other SUPER user account. This is often a frequent problem associated with those applications with hard-coded passwords, as it is too difficult to institute proper privilege management in these cases.

"Ordinary application operations rarely need access granted by the 'super' privilege, and allowing applications to use the super-privileged user creates opportunities for unrestricted actions that are not appropriate," Karwin says. "All applications should connect to the database using lesser-privileged credentials."

5. Believing Stored Procedures Are THE Answer To SQLi
Many developers today believe that stored procedures are a reliable way to prevent SQL injection. Not so, says Dmitry Vyrostkov of DataArt.

"In fact, stored procedures do not prevent SQL injections if they contain vulnerabilities within their own code, or if they are invoked in an unsafe manner," he says.

Romain Guacher agrees that this is a myth that needs busting within the developer community.

"It's not true because string concatenation can happen inside stored procedures," says Gaucher, senior security researcher for Coverity. "Even stored procedure calls that are prepared statements can be vulnerable if dynamic queries are constructed and executed from inside the stored procedure itself."

Next Page: 5 more mistakes.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.