Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can a SQL Injection attack be executed through anything other than SqlCommand?

Tags:

If I have an ASP.NET web application that has a SQL Server database, is it safe to assume that if a SQL Injection attack is going to be made it will pass through an instance of the SqlCommand class?

Background:

I am in a situation where I inherited a rather large web application that has some SQL Injection vulnerabilities. I have found several just by looking through the code for other issues, but I'm wondering if a safe way to find all SQL Injection vulnerabilities would be to search all files for instances of SqlCommand and then check to see if they are parametrized queries. Is this a solid plan?

like image 991
Abe Miessler Avatar asked Nov 21 '12 00:11

Abe Miessler

People also ask

What are 3 methods SQL injection can be done by?

SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and their damage potential.

What can be done with SQL injection attack?

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

How an SQL injection attack can be occurred?

To make an SQL Injection attack, an attacker must first find vulnerable user inputs within the web page or web application. A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query. The attacker can create input content.

2 Answers

I wouldn't look just for SqlCommand specifically - the code could use DBCommand or IDbCommand. It could be wrapped in ORMs like EF, L2S or NHibernate (all offer some level of raw access). It could use something like "dapper" or simple.data. Or DataTable / DataAdapter. You might have code that uses legacy OLEDB or ADODB access. Heck, for all we know you could have written your own low-level TDS API.

So: it comes down to checking data access code, which could take many forms. If your departmental approach is "use SqlCommand directly", then that changes things.

Also: SQL injection isn't limited to .NET - you can, for example, create a SQL injection risk in a raw command text or stored procedure even if you parameterise, if the TSQL does any kind of concatenation to make dynamic SQL, to be invoked via EXEC. Note that sp_executesql can help with that.

like image 181
Marc Gravell Avatar answered Oct 05 '22 23:10

Marc Gravell

Depending on your database schema you may also need to check for attacks in stored procs (assuming you're using stored procs). I have seen people use paramterised stored procedures in their code, but in the proc they just use EXEC to query:

CREATE PROC Dummy
(
   @Str VARCHAR(50)
)
AS
EXEC ('SELECT * FROM Table Where Column = ''' + @Str + '''')
like image 24
Greg Avatar answered Oct 05 '22 23:10

Greg
Sign in to Comment

Related questions

C# Struct instance behavior changes when captured in lambda
Use of __clone in PHP?
adb got two same serial numbers when connected to two smart phones
How to assign values to dynamic names variables
Comma separated list with "and" in place of the last comma
Regex match any string not containing dot character
Javascript: Best way to convert associative array to string and back the other way later?
Overriding a method with different return types in java?
Handling data binding in AngularJS Services
C++ Error: undefined reference to `main'
android deleting a file from internal storage
Why does Google Mocks find this function call ambiguous?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!