Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) |
||
| Line 22: | Line 22: | ||
The single quotation mark (‘) indicates to the SQL parser that the character sequence for the username column is closed, the fragment <code>OR TRUE</code> is interpreted as always true, and the fragment of the query after the hyphens (<code>--</code>) is a comment. The altered <code>WHERE</code> clause of the SQL statement will be interpreted as always true and thus every patient is deleted from the table. Because no input validation was performed, the attacker can exploit the system by inserting the malicious input in the name field, and causing truncation of the <code>Patients</code> table. Thus, the bolded statement in Figure 1 is an example of a SQL injection hotspot (or just “hotspot” in this paper)—any source code location that may contain a SQL injection vulnerability<sup>[1, 2]</sup>. | The single quotation mark (‘) indicates to the SQL parser that the character sequence for the username column is closed, the fragment <code>OR TRUE</code> is interpreted as always true, and the fragment of the query after the hyphens (<code>--</code>) is a comment. The altered <code>WHERE</code> clause of the SQL statement will be interpreted as always true and thus every patient is deleted from the table. Because no input validation was performed, the attacker can exploit the system by inserting the malicious input in the name field, and causing truncation of the <code>Patients</code> table. Thus, the bolded statement in Figure 1 is an example of a SQL injection hotspot (or just “hotspot” in this paper)—any source code location that may contain a SQL injection vulnerability<sup>[1, 2]</sup>. | ||
... | |||
java.sql.Connection mySQLConnector = DriverManager.getConnection(); | |||
java.sql.Statement s = mySQLConnector.createStatement("DELETE FROM | |||
Patients WHERE Name = ‘" + name + “’;”); | |||
int result = s.executeUpdate(); | |||
return 1 == result; | |||
... | |||
<center>Figure 1. Patient Deletion Code in Java; hotspot is bolded </center> | |||
'''Error message information leak vulnerabilities'''. These vulnerabilities occur when an application does not correctly handle exceptional conditions and subsequently leaks sensitive information to a user<sup>[4, 5]</sup>. This information can be obviously dangerous in the case of error messages that contain system or application passwords, or it may seem more benign, containing only version numbers or stack traces. Unfortunately, even these seemingly benign error information leaks can provide valuable information to an attacker and could expose additional attack vectors. Since a tester cannot tell what information an attacker needs to conduct future attacks, a good policy is to treat all error information leakage vulnerabilities as if they contain obviously dangerous information such as passwords. | '''Error message information leak vulnerabilities'''. These vulnerabilities occur when an application does not correctly handle exceptional conditions and subsequently leaks sensitive information to a user<sup>[4, 5]</sup>. This information can be obviously dangerous in the case of error messages that contain system or application passwords, or it may seem more benign, containing only version numbers or stack traces. Unfortunately, even these seemingly benign error information leaks can provide valuable information to an attacker and could expose additional attack vectors. Since a tester cannot tell what information an attacker needs to conduct future attacks, a good policy is to treat all error information leakage vulnerabilities as if they contain obviously dangerous information such as passwords. | ||