Thursday, October 1, 2009

Just trust me!!

Today I was working with my intern, we are using DotNetNuke to run a marketing site so that our product team can go in and tweak some things. We have custom workflow in there, and a requirement that we want to save the results of the workflow into our own table so we can report on it latter.

The workflow component has some facilities to do this, so he creates a table and a stored proc, and gives it a shot. He is instantly greated with a lovely error in the front end Invalid Syntax Near xyz

I tell him that's not good, as it indicates a potential for a Sql injection attack. Fast forward three hours, and he is arguing with me that its safe, that it can't be injected, and demands I prove to him it can be done.

Not wanting to take the time or effort to figure out the magic sequence, as this isn't something I do everyday (Contrary to popular belief, I don't sit around trying to hack). I tell him to trust me, parsing errors are easy to inject into. He doesn't buy it, and I can see he is going to be stubborn until I prove him wrong.

Fast forward ten minutes, and I found that injecting with this forms component was as simple as entering a string like the following for the last field:

injectComing' select * from aspnet_users--
Watching with profiler, we quickly saw three key events. First was a Batch Starting which looked something like this:
exec myProc '','','','injectComing' select*from aspnet_users--';
Second was SQL Stmt Starting Event:
exec myProc '','','','injectComing'
Third was another Sql Stmt Starting Event:
select*from aspnet_users--';
Needless to say now he is working on a costume module so we can execute the Sql as a parameterized query and avoid all this ass ache. Moral of the story? While you shouldn't always trust everyone, you should trust your boss who has 10 more years of experience. And if you don't you try and prove him wrong, don't demand your boss to prove himself.


Gahh Interns!

1 comment:

Amrinder said...

LoL. Excellent point. I have very similar problem sometimes (though I work on the Java side of things). Interns are sometimes fun, and sometimes funny to work with.

Next time someone asks me to show SQL injection vulnerability, I will just refer him to your blog. (Maybe they won't trust that it applies to Java too, which is a much "safer" language ;-) ).