4.23.2007

How to detect SQL injection

Why is it difficult for automatic web application security auit tool to detect vulnerabilities?
Responses of each web application against attack requests are different, so, it is not useful to find error strings.

Sanshi has the module which detect vulnerabilities of SQL injection, path traversal, and so on.

Now, the codes which has these vulnerabilities, and no vulnerabilities.

See list 1. This code has the vulnerability of SQL injection.

list 1

class DatabaseAccess {
private Connection con;
:
public RecordSet read(String idx) throws SQLException {
Statement statement;
String sql;

sql = "select * from foo where index = '" + idx + "';";
statement = con.createStatement();

return statement.executeQuery(sql);
}
:
}

DatabaseAccess db = new DatabaseAccess();
String idx;
ResultSet result;
:
try {
result = db.read(idx);
printResult(result);
:
} catch (SQLException exception) {
writeLog(exception);
printError();
}


The function 'printResult()' write the detail of 'foo' of which 'index' indicates 'idx'.
Example:

<table>
<tbody><tr>
<th>
</th><td>Field Name</td>
<td>Value</td>

</tr>
<tr>
<td>index</td>
<td>1</td>
</tr>
<tr>
<td>value</td>
<td>test value</td>
</tr>
</tbody></table>

The function 'printError()' write error message.
Example:

<b>
Error occurres!!<br>
</b>
Please contact to system administrator.<br>

In error request such as "'", the response of this application is output of 'printError()' function. But in correct request such as "' or 'a' = 'a", it is output of 'printResult()' function.

Otherwise, See list 2. This code has no vulnerability of SQL injection.

list 2

class DatabaseAccess {
private Connection con;
:
public RecordSet read(String idx) throws SQLException {
PreparedStatment prep;
String sql;

sql = "select * from foo where index = ?;";
prep = con.prepareStatement(sql);
prep.setString(1,idx);
return prep.executeQuery();
}
:
}

DatabaseAccess db = new DatabaseAccess();
String idx;
ResultSet result;
:
try {
result = db.read(idx);
printResult(result);
:
} catch (SQLException exception) {
writeLog(exception);
printError();
}


Regardless of requests, the response of this application (list 2) is always output of 'printResult()' function.

So, you can see that the structure of the response of correct request is different from error request, if the application is vulnerable. Not only sentence, but also the structure of the html tags is different.

It is difficult for the tool to find any vulnerabilities from difference of sentences. Because difference of sentence is difference of the means. So, the tool need to understand what the sentence means. And it is very difficult for the tool.

But it is easy for the tool to find any vulnerabilities from difference of the structure of the html tags. Because it is the structural difference, and it is to find vulnerabilities that tool only compares structures of the html tags.

4.19.2007

How does Sanshi detect vulnerability in web application?

Sanshi has three modules to detect vulnerability in target of web application.

1. Sanshi search the specific words in which web application has vulnerabilities.
2. Sanshi listen a port connected from web application server if web application has vulnerability.
3. Sanshi detect difference between responses when web application has syntax error and when it does not has any syntax error.

I'll write detail these modules.

4.11.2007

What is Sanshi?

I have been developing Sanshi, web application security scanner. In near future, I'll open it to public.

Sanshi is a automatic web application security test tool.
It find vulnerabilities in web application, such as XSS, SQL injection, command injection, and so on.
Its peculiarity is following:
- Sanshi is open source software.
- You can test security about your web application automatically.
- You can test your web application through workflow. So, Sanshi can find any vulnerabilities, if one page, which is after a few pages in which you input data, has vulnerabilities.
- You can create new test module, because test API will be opened to public.