I just took this course, in order to prepare for the GSSP-.NET certification and they've updated it to be language agnostic and cover what is really necessary and important for web developers to know. It focuses on the OWASP Top 10 you hear me talk about, etc. (This is a nice change from what was really a B or C+ course) You need to take this course if you build web apps -- .NET, Java, PHP, whatever. Take this course.
http://www.sans.org/vlive/details.php?nid=21094
Wednesday, August 25, 2010
Saturday, August 21, 2010
More SQL Injection Woes
These happen all the time, but hey it is in the headlines now so let's throw this one out to you as well. From SANS.org newsletter I get:
--Japanese Online Supermarket Database Hacked (August 15, 2010) Attackers reportedly used SQL injection attacks to steal customer information from the databases of eight Japanese online supermarkets.
The attacks took place in late July 2010. Some credit card companies have reported fraudulent activity on accounts compromised in the attacks.
http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database
CLOSE THE SQL INJECTION HOLES PEOPLE! It is easy to do...parameterized queries! Email me if you aren't sure how to do them in ASP.NET.
--Japanese Online Supermarket Database Hacked (August 15, 2010) Attackers reportedly used SQL injection attacks to steal customer information from the databases of eight Japanese online supermarkets.
The attacks took place in late July 2010. Some credit card companies have reported fraudulent activity on accounts compromised in the attacks.
http://www.japantoday.com/category/crime/view/hackers-steal-customer-data-by-accessing-supermarket-database
CLOSE THE SQL INJECTION HOLES PEOPLE! It is easy to do...parameterized queries! Email me if you aren't sure how to do them in ASP.NET.
Monday, August 9, 2010
Quiz #1 Answers - SQLi
OK, here are the answers...let me know how you did!
Q1. Parameterized queries are 100% effective against SQL Injection. True or False.
TRUE! SQLi is a PARSING issue, and using a parameterized query does not allow you to parse additional commands among your intended one.
=========================
Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False.
FALSE! Though I recommend stored procedures to avoid mistakes on the business and data layer of .NET code, among other reasons, it is no guarantee the DBA coded the stored proc to use query parameters. He/she could still be concatenating the parameters as strings into a SQL command...ouch.
============================
Q3. Neither is perfect, but which is better for validation: black-listing or white-listing?
White-listing is better because you know what you want and can check for that, discarding anything else no matter how tricky the hackers try to get. If you black-list, you run a huge risk of missing tomorrow's new attacks, or of canonicalization errors where the hacker encodes the attack one layer deeper than where you look. Don't chase hackers, trying to learn their latest tricks...know your holes and plug them.
================================
Q4. If you thoroughly validate your input then you should be fine. True or False.
FALSE! Most validation is done client-side. And with javascript. Turn that off and see how your web page reacts. Even with good server-side validation, you have to accept strings sometimes...and those can be used to nail you with SQLi. That being said, you do make huge strides when you validate thoroughly...always do it! Makes your job of stopping them so much easier. It just isn't enough on its own to stop them, so don't rely on your best efforts as a "be all end all" sort of thing.
========================
Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.
FALSE! Well, true, but false. Getting rid of single quotes is one part of defense in depth. It will stop them from ending a string and putting a new command after it. Sure. But the hacker can encode it to hide it...are you checking for that? It can be part of a last name like O'Brien...do you let that through? Like other validation methods, it isn't enough to scrub out single quotes and sleep well at night.
=======================
Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.
BIG FALSE! Go back to Q1. Make your queries parameterized. Done. It isn't hard. Like I said earlier, don't chase the wind...don't keep up on every hacker trick so you can be prepared for them. Instead know your holes and plug 'em. Analogy -- don't stay on top of what tools people are using to break into houses through windows. Instead, put bars on your windows, lock them, etc. Know what the holes are and plug them, rather than finding out what tools are being used and trying to thwart each of them.
SQL Injection is TOTALLY preventable. And it is YOUR responsibility to code for that. If you didn't get all the above correct, you are not alone. Just dig in more at sites like owasp.org and read up on SQL Injection...read how to do parameterized queries on MSDN...etc. You can do this!
Q1. Parameterized queries are 100% effective against SQL Injection. True or False.
TRUE! SQLi is a PARSING issue, and using a parameterized query does not allow you to parse additional commands among your intended one.
=========================
Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False.
FALSE! Though I recommend stored procedures to avoid mistakes on the business and data layer of .NET code, among other reasons, it is no guarantee the DBA coded the stored proc to use query parameters. He/she could still be concatenating the parameters as strings into a SQL command...ouch.
============================
Q3. Neither is perfect, but which is better for validation: black-listing or white-listing?
White-listing is better because you know what you want and can check for that, discarding anything else no matter how tricky the hackers try to get. If you black-list, you run a huge risk of missing tomorrow's new attacks, or of canonicalization errors where the hacker encodes the attack one layer deeper than where you look. Don't chase hackers, trying to learn their latest tricks...know your holes and plug them.
================================
Q4. If you thoroughly validate your input then you should be fine. True or False.
FALSE! Most validation is done client-side. And with javascript. Turn that off and see how your web page reacts. Even with good server-side validation, you have to accept strings sometimes...and those can be used to nail you with SQLi. That being said, you do make huge strides when you validate thoroughly...always do it! Makes your job of stopping them so much easier. It just isn't enough on its own to stop them, so don't rely on your best efforts as a "be all end all" sort of thing.
========================
Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.
FALSE! Well, true, but false. Getting rid of single quotes is one part of defense in depth. It will stop them from ending a string and putting a new command after it. Sure. But the hacker can encode it to hide it...are you checking for that? It can be part of a last name like O'Brien...do you let that through? Like other validation methods, it isn't enough to scrub out single quotes and sleep well at night.
=======================
Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.
BIG FALSE! Go back to Q1. Make your queries parameterized. Done. It isn't hard. Like I said earlier, don't chase the wind...don't keep up on every hacker trick so you can be prepared for them. Instead know your holes and plug 'em. Analogy -- don't stay on top of what tools people are using to break into houses through windows. Instead, put bars on your windows, lock them, etc. Know what the holes are and plug them, rather than finding out what tools are being used and trying to thwart each of them.
SQL Injection is TOTALLY preventable. And it is YOUR responsibility to code for that. If you didn't get all the above correct, you are not alone. Just dig in more at sites like owasp.org and read up on SQL Injection...read how to do parameterized queries on MSDN...etc. You can do this!
Thursday, August 5, 2010
Quiz #1 - SQLi
OK...it has been awhile since I've posted...been busy! One good thing out of this time away is my passing the GSSP-.NET certification earlier this week. Yay me! Honestly, though, if you are a .NET developer for Windows or Web you need to take this exam. 100 questions that cover everything from SQLi (SQL Injection) and other web attacks to how to put appropriate Code Access Security (CAS) on your DLLs and EXEs to how .NET security policies are set up for proper permissions to be granted on your apps.
Since I am in test-taker mode, I decided the best things to post right now are some questions based on what you should know. If you get the questions wrong, don't worry but instead dig in a little and learn why. Find out what the hackers already know!
So, quiz #1 will be on SQLi. Feel free to post your answers and I will let you know what the answers are in a few days or so. I will not post your answers until I have enough there to post them. No fair having some smarty pants get the right answer before you've even read the question, and then you see her/his answer in the comments, right?
Q1. Parameterized queries are 100% effective against SQL Injection. True or False. (Nothing like starting off with a holy war sort of question, huh?)
Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False. (hee, another holy war sort of question)
Q3. Neither is perfect, but which is better for validation: black-listing or white-listing? (Black-listing is looking for malicious characters/strings and removing them. White-listing is telling the app what you expect and denying everything else.)
Q4. If you thoroughly validate your input then you should be fine. True or False.
Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.
and last one:
Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.
Good luck! I am very interested in your answers! Those that answer all six correctly will win a free round of applause from me.
Since I am in test-taker mode, I decided the best things to post right now are some questions based on what you should know. If you get the questions wrong, don't worry but instead dig in a little and learn why. Find out what the hackers already know!
So, quiz #1 will be on SQLi. Feel free to post your answers and I will let you know what the answers are in a few days or so. I will not post your answers until I have enough there to post them. No fair having some smarty pants get the right answer before you've even read the question, and then you see her/his answer in the comments, right?
Q1. Parameterized queries are 100% effective against SQL Injection. True or False. (Nothing like starting off with a holy war sort of question, huh?)
Q2. If you can't do parameterized queries, then you can do stored procedures in the database. They offer you the same level of protection. True or False. (hee, another holy war sort of question)
Q3. Neither is perfect, but which is better for validation: black-listing or white-listing? (Black-listing is looking for malicious characters/strings and removing them. White-listing is telling the app what you expect and denying everything else.)
Q4. If you thoroughly validate your input then you should be fine. True or False.
Q5. Removing single-quotes from input data is an effective means of preventing SQLi. True or False.
and last one:
Q6. SQLi defense is like chasing a wind: by the time you figure out what to do it shifts and you have to do something else to protect your apps. True or False.
Good luck! I am very interested in your answers! Those that answer all six correctly will win a free round of applause from me.
Subscribe to:
Posts (Atom)