4.23.2007

How to detect SQL injection

Why is it difficult for automatic web application security auit tool to detect vulnerabilities?
Responses of each web application against attack requests are different, so, it is not useful to find error strings.

Sanshi has the module which detect vulnerabilities of SQL injection, path traversal, and so on.

Now, the codes which has these vulnerabilities, and no vulnerabilities.

See list 1. This code has the vulnerability of SQL injection.

list 1

class DatabaseAccess {
private Connection con;
:
public RecordSet read(String idx) throws SQLException {
Statement statement;
String sql;

sql = "select * from foo where index = '" + idx + "';";
statement = con.createStatement();

return statement.executeQuery(sql);
}
:
}

DatabaseAccess db = new DatabaseAccess();
String idx;
ResultSet result;
:
try {
result = db.read(idx);
printResult(result);
:
} catch (SQLException exception) {
writeLog(exception);
printError();
}


The function 'printResult()' write the detail of 'foo' of which 'index' indicates 'idx'.
Example:

<table>
<tbody><tr>
<th>
</th><td>Field Name</td>
<td>Value</td>

</tr>
<tr>
<td>index</td>
<td>1</td>
</tr>
<tr>
<td>value</td>
<td>test value</td>
</tr>
</tbody></table>

The function 'printError()' write error message.
Example:

<b>
Error occurres!!<br>
</b>
Please contact to system administrator.<br>

In error request such as "'", the response of this application is output of 'printError()' function. But in correct request such as "' or 'a' = 'a", it is output of 'printResult()' function.

Otherwise, See list 2. This code has no vulnerability of SQL injection.

list 2

class DatabaseAccess {
private Connection con;
:
public RecordSet read(String idx) throws SQLException {
PreparedStatment prep;
String sql;

sql = "select * from foo where index = ?;";
prep = con.prepareStatement(sql);
prep.setString(1,idx);
return prep.executeQuery();
}
:
}

DatabaseAccess db = new DatabaseAccess();
String idx;
ResultSet result;
:
try {
result = db.read(idx);
printResult(result);
:
} catch (SQLException exception) {
writeLog(exception);
printError();
}


Regardless of requests, the response of this application (list 2) is always output of 'printResult()' function.

So, you can see that the structure of the response of correct request is different from error request, if the application is vulnerable. Not only sentence, but also the structure of the html tags is different.

It is difficult for the tool to find any vulnerabilities from difference of sentences. Because difference of sentence is difference of the means. So, the tool need to understand what the sentence means. And it is very difficult for the tool.

But it is easy for the tool to find any vulnerabilities from difference of the structure of the html tags. Because it is the structural difference, and it is to find vulnerabilities that tool only compares structures of the html tags.

No comments: