[Web4lib] Web application security software

Richard Cox RLCOX rlcox at uncg.edu
Tue May 8 15:14:18 EDT 2007


> Unlike scripted hacking, SQL injection attacks are usually a hands on
> activity.

This is untrue.  A black hat could use the Google API in order to search 
for web sites with a potential vulnerability, From there, they have a list 
of potential targets and can further explore, both manually and, to an 
extent, in an automated fashion. 

Here's a sobering example:
http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx

A few important steps you can take to prevent SQL Injection attacks:

1) Don't build dynamic SQL Statements without specifying the type of value 
you're expecting -- string, integer, or date for example.  Validate type, 
length, format, etc.
2) Never store sensitive data in clear-text within a database.  Encrypt 
sensitive information and hash out passwords
3) Lock down your database to only grant the web application accessing it 
the minimal set of permissions that it needs to function. If it is 
read-only then make sure you disable insert/update/delete access. 
4) Hide DB error messages when possible.  The less known the better.
5) Use regular expressions in order to check user input, be it forms, 
querystrings, cookies, etc.
 
Richard
Digital Technology Consultant
Electronic Resources & Information Technology
University Libraries, UNC Greensboro
http://library.uncg.edu/



More information about the Web4lib mailing list