Hunting Security Bugs

When testing for SQL injection bugs, you need to find the places where user -supplied data is used when interacting with a SQL statement. The following are some tips to help you get started hunting for SQL injection bugs .

• Identify places where SQL queries are constructed using user-supplied data, and attempt to cause a SQL injection for each one.

• Review the permissions on objects, databases, views, custom stored procedures, and so forth to identify any weak permissions that could lead to elevation of privilege attacks if there is a SQL injection. Make sure to connect to the database using a user account that has only the permissions needed.

• Use SQL Server Profiler with the SQLInjection template to trace all of the SQL statements that the database executes, including nested statements contained within stored procedures.

• Attempt to break out of a statement using single quotation marks, but also remember that some queries require different techniques to break out, such as using a semicolon, closing parenthesis, comments, or bracket .

• Look for queries that allow the user to specify the sort order of the results, such as using ASC and DESC . Often, these are appended to the end of the query, so they could allow SQL injection.

• Look for queries that are dynamically created without using SQL parameters, especially if they contain user-supplied data. There is a high risk that an attacker can cause a SQL injection in these queries.

• Look for LIKE clauses to see whether you can alter the behavior of the statement using wildcard characters that shouldnt be allowed.

• Look for places in the stored procedure code that use the EXEC , EXECUTE , or sp_executesql to execute a dynamic query that was constructed using user data.

• Look for data truncation issues, especially when using QUOTENAME and REPLACE , in variables that hold user data and are used to execute dynamic SQL statements.

• Remember that injection bugs are not limited to SQL. Other technologies, such as HTML, XPath, and LDAP, are also vulnerable to similar attacks.

• If QUOTED_IDENTIFIER is set to OFF , double quotation marks can be used in place of single quotation marks, so dont forget to try them as well.