tags:

views:

597

answers:

6
+3  Q: 

Defending against a 'WAITFOR DELAY' sql injection attack?

Hi all,

The problem

We need to defend against a 'WAITFOR DELAY' sql injection attack in our java application.

Background

[This is long. Skip to 'Solution?' section below if you're in a rush ]

Our application mostly uses prepared statements and callable statements (stored procedures) in accessing the database.

In a few places we dynamically build-and-execute queries for selection. In this paradigm we use a criteria object to build the query depending on the user-input criteria. For example, if the user specified values for first_name and last_name, the result querying always looks something like this: 

SELECT first_name,last_name FROM MEMBER WHERE first_name ='joe' AND last_name='frazier'

(In this example the user would have specified "joe" and "frazier" as his/her input values. If the user had more or less critieria we would have longer or shorter queries. We have found that this approach is easier than using prepared statements and quicker/more performant than stored procedures).

The attack

A vulnerability audit reported an sql injection failure. The attacker injected the value 'frazier WAITFOR DELAY '00:00:20' for the 'last_name' parameter, resulting in this sql:

   SELECT first_name,last_name FROM MEMBER WHERE first_name ='joe' AND last_name='frazier' WAITFOR DELAY '00:00:20'

The result: the query executes successfully, but takes 20 seconds to execute. An attacker could tie up all your database connections in the db pool and effectively shut down your site.

Some observations about this 'WAITFOR DELAY' attack

  • I had thought that because we used Statement executeQuery(String) we would be safe from sql injection. executeQuery(String) will not execute DML or DDL (deletes or drops). And executeQuery(String) chokes on semi-colons, thus the 'Bobby Tables' paradigm will fail (i.e. user enters 'frazier; DROP TABLE member' for a parameter. See. http://xkcd.com/327/)

  • The 'WAITFOR' attack differs in one important respect: WAITFOR modifies the existing 'SELECT' command, and is not a separate command.

  • The attack only works on the 'last parameter' in the resulting query. i.e. 'WAITFOR' must occur at the very end of the sql statement

Solution, Cheap Hack, or Both?

The most obvious solution entails simply tacking "AND 1=1" onto the where clause.

The resulting sql fails immediately and foils the attacker:

   SELECT first_name,last_name FROM MEMBER WHERE first_name ='joe' AND last_name='frazier' WAITFOR DELAY '00:00:20' AND 1=1

The Questions

  • Is this a viable solution for the WAITFOR attack?
  • Does it defend against other similar vulnerabilities?
  • I think the best option would entail using prepared statements. More work, but less vulnerable.
+10  A: 

SQL injection is SQL injection - there's nothing special about a WAITFOR DELAY.

There is absolutely no excuse for not using prepared statements for such a simple query in this day and age.

(Edit: Okay, not "absolutely" - but there's almost never an excuse)

Aaronaught  2010-01-07 21:40:20
looking over the code, several of these 'finder' DAO methods generate 'IN clauses' (i.e. "WHERE STATUS in (1,2,3)"). No excuses, but these are more difficult with prepared statements.
 2010-01-07 22:47:11
Not really. Just parameterize the individual IN tokens (`WHERE status IN (?, ?, ?)`).
Aaronaught  2010-01-07 22:56:59
one wrinkle: the list size can vary. dynamic list sizes present a problem, AFAIK the preparedStatement sql can have a long list of '?' (i.e. upper bound of the list size); you can set the first 3 and use setNull to set the last upperbound-3.i.e., : WHERE status IN (?,?,?,?,?,?,?,?,?,?)
 2010-01-07 23:06:35
This is a fully-solved problem: http://www.javaranch.com/journal/200510/Journal200510.jsp#a2 Any of those approaches are better than raw strings.
Aaronaught  2010-01-07 23:33:37
No, I think it's 'absolutely'. There are no exceptions. Anything you think is an exception is actually something you need to solve another way.
Noon Silk  2010-01-13 10:58:37
A: 

How about follow xkcd and sanitize the input. You could check for reserved words in general and for WAITFOR in particular.

David Soroko  2010-01-07 21:42:31
Please, no. Don't try to sanitize with some flaky blacklisting system. If you have some mysterious but intense aversion to prepared statements then *escape* the strings.
Aaronaught  2010-01-07 21:45:22
I didn't -1 you, but it might seem, that the first sentence of your answer could warrant a +1 (since it mentions xkcd), but then you get to the second sentence. And that's where it all falls apart.
shylent  2010-01-07 21:51:39
Banning reserved keywords is a strategy only the TSA can afford to spend billions on and get away with.
Coincoin  2010-01-07 21:54:17
Ha, I was blinded by the authority of xkcd :-) Using prepared statements instead is obviously the way to go.
David Soroko  2010-01-08 08:58:13
+2  A: 

I think you suggested the solution yourself: Parameterized Queries.

How did you find that your dynamically built query is quicker than using a stored procedure? In general it is often the opposite.

Daniel Vassallo  2010-01-07 21:44:19
Ah yes. In general true, but in these specific cases we've found otherwise.Here's the situation: you have a DAO method which has a specification/criteria object with 30 fields on it. You could have one stored procedure with 30 parameters on it with sql that looks like this:SELECT last_name, first_name FROM member WHERE (@pLastName IS NULL OR @pLastName=last_name) AND (@pFirstName IS NULL OR @pFirstName=first_name) AND (@pSerialNbr IS NULL OR @pSerialNbr=serial_nbr) AND (@pZodiacSign IS NULL OR @pZodiacSign=zodiac_sign) AND (@pPartyRank IS NULL OR @pPartyRank=party_rank)
 2010-01-07 22:56:04
from my experience, the SQL optimizers/engines perform very poorly on such procedures; they re-use a very generic access plan (usually full-table scan) rather than recognize on-the-fly to use a particular index .Additionally, some of the values are in fact lists (i.e. 'WHERE rank in (1,2,3)' ). I have in places passed in comma-separated lists to a stored procedure, parsed and populated a temporary table, and joined against the temporary table but this in practice performs *MUCH WORSE* than a simple sql with an in clause.
 2010-01-07 22:56:44
finally, to summarize, from my experience : simple sql performs best. Super-fancy sql makes for super-slow. Optimizers and access-plan-generators aren't that smart.(also we support a few different db's so have limits how many hints we can provide)
 2010-01-07 22:57:50
If one must therefor use dynamically generated SQL, sanitize the input. By which I mean escaping strings, and validating numeric types, etc. There is plenty of pre-existing code to do that for you.
Dems  2010-01-08 00:06:55
Stored procedures won't protect you against SQL injection if you smash strings together *in the stored procedure itself* and then exec() the result. I have seen this done.The important thing to emphasise is **parametrised queries**.
jammycakes  2010-01-13 10:34:27
Good point. Thanks. Fixed the emphasis.
Daniel Vassallo  2010-01-13 10:57:09
+10  A: 

The correct way to handle SQL injection is to use parameterized queries. Everything else is just pissing in the wind. It might work one time, even twice, but eventually you'll get hit by that warm feeling that says "you screwed up, badly!"

Whatever you do, except parameterized queries, is going to be sub-optimal, and it will be up to you to ensure your solution doesn't have other holes that you need to patch.

Parameterized queries, on the other hand, works out of the box, and prevents all of these attacks.

Lasse V. Karlsen  2010-01-07 21:45:24
Good point, I guess I should have been more specific - a prepared statement won't do you any good if you pass it one big concatenated string instead of one with parameter placeholders!
Aaronaught  2010-01-07 21:48:25
Which is why I said "parameterized query", not "prepared query".
Lasse V. Karlsen  2010-01-07 21:49:19
"The correct way to handle SQL injection is to use parameterized queries. Everything else is just pissing in the wind"Thank you for telling the truth! This is the answer to almost any security programming problem actually.
Longpoke  2010-03-10 00:42:18
+1  A: 

To answer all your questions:

Is this a viable solution for the WAITFOR attack?

No. Just add -- to the attack string and it will ignore your fix.

Does it defend against other similar vulnerabilities?

No. See above.

I think the best option would entail using prepared statements. More work, but less vulnerable.

Yes. You don't fix SQL injection yourself. You use what's already existing and you use it right, that is, by parametrizing any dynamic part of your query.

Another lesser solution is to escape any string that is going to get inserted in your query, however, you will forget one one day and you only need one to get attacked.

Coincoin  2010-01-07 21:46:13
A: 

Everyone else has nailed this (parameterize!) but just to touch on a couple of points here:

  • Is this a viable solution for the WAITFOR attack?
  • Does it defend against other similar vulnerabilities?

No, it doesn't. The WAITFOR trick is most likely just being used for 'sniffing' for the vulnerability; once they've found the vulnerable page, there's a lot more they can do without DDL or (the non-SELECT parts of) DML. For example, think about if they passed the following as last_name

' UNION ALL SELECT username, password FROM adminusers WHERE 'A'='A

Even after you add the AND 1 = 1, you're still hosed. In most databases, there's a lot of malicious things you can do with just SELECT access...

Cowan  2010-01-14 04:41:12

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?