SQL Injection Attacks and Defense - 2009

Summary
Reviewing Code for SQL Injection • Chapter 3 133
In this chapter, you learned how to review source code using manual static code analysis
techniques to identify taint-style vulnerabilities. You will need to practice the techniques
and methods you learned before you become proficient in the art of code auditing; however,
these skills will help you better understand how SQL injection vulnerabilities are still a
common occurrence in code some 10 years after they were brought to the attention of the
public. The tools, utilities, and products we discussed should help you put together an
effective toolbox for scrutinizing source code, not only for SQL injection vulnerabilities but
also for other common coding errors that can lead to exploitable vectors.
To help you practice your skills, try testing them against publicly available vulnerable
applications that have exploitable published security vulnerabilities, such as WebGoat.
This deliberately insecure J2EE Web application maintained by the Open Web Application
Security Project (OWASP) is designed to teach Web application security lessons; you can
download it from www.owasp.org/index.php/Category:OWASP_WebGoat_Project.
In addition, you can try Hacme Bank, which simulates a real-world Web services-enabled
online banking application built with a number of known and common vulnerabilities;
you can download Hacme Bank from www.foundstone.com/us/resources/termsofuse.
asp?file=hacmebank2_source.zip. You can also try obtaining vulnerable versions of Free
and Open Source Software (FOSS); the Damn Vulnerable Linux Live CD contains an ample
set of these, and you can download the CD from www.damnvulnerablelinux.org.
Try as many of the automated tools listed in this chapter as you can until you find a tool
that works for you. Don’t be afraid to get in touch with the developers and provide them
constructive feedback with regard to how you think the tools could be improved, or to
highlight a condition that reduces its effectiveness. I have found them to be receptive and
committed to improving their tools. Happy hunting!
Solutions Fast Track
Reviewing Source Code for SQL Injection
˛˛ There are two main methods of analyzing source code for vulnerabilities: static
code analysis and dynamic code analysis. Static code analysis, in the context of Web
application security, is the process of analyzing source code without actually executing
the code. Dynamic code analysis is the analysis of code performed at runtime.
˛˛ Tainted data is data that has been received from an untrusted source (sink source),
whether it is a Web form, cookie, or input parameter. Tainted data can potentially
cause security problems at vulnerable points in a program (sinks). A sink is a
security-sensitive function (e.g., a function that executes SQL statements).