http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=t...

http://pastebin.com/BayvYdcP

http://news.ycombinator.com/item?id=2377013

Shameless self plug: Netsparker ( My startup: http://www.netsparker.com/ ) could have identified both of these vulnerabilities.

How is it different? I watched the demo video and couldn't really tell.

Metasploit is an exploitation framework. There's different versions available (community, pro etc.). The community version has a web app scanner and is reasonably ok, but it tends to be caught by intrusion detection systems fairly easily and it's payloads often don't clean up properly. It's better suited to infrastructure exploitation, but can be used in a web app context.

Canvas[1] has some limited web app scanning capability but has more of a core focus on infrastructure exploitation.

Burp Suite Pro[2] is a framework for testing web applications. It's probably the best tool out there for testing web apps (if you know what you're doing). It's also ludicrously cheap and there is a free version for non-commercial use. It comes with a fairly comprehensive web app scanner.

NetSparker is a web application scanner. From what I can tell it's mainly competing with things like Accunetix. It has some features that are similar to Metasploit Pro but focuses primarily on the application layer. It sits more between Burp Suite Pro and Canvas for my purposes. You can download an eval from http://www.mavitunasecurity.com/ or the community edition.

[1] http://www.immunityinc.com

[2] http://www.portswigger.net

Netsparker is solely focused on web application security (detection & exploitation). For example Netsparker can crawl AJAX/Javascript apps, support form authentication etc. Metasploit on the other hand possibly will never do that kind of stuff.

Do we need to get into a detailed discussion of why I think the plug for your scanner is inappropriate for this thread? Or can we just let it suffice to say that HN isn't a great place to promote products on random threads?

I don't get the big fuss.

If it was a story about Bingo Cards, and patio11 plugged bcc.com I am pretty sure you wouldn't be all worked up about this.

Let's just calm it down a notch and not try to be kingmaker's here.

If the community found the plug abhorrent, they would downvote it. He would get the point.

Although, to be quite honest, now you have given his product even more promotion and visibility so it's a net positive for him - not sure it's the result you wanted in the first place.

And given that I would likely do something similar, kudos to him for every extra dollar he has earned from your rant.

We have a good relationship with Rapid7 guys, they even has a module to import Netsparker results into Metasploit and we keep getting synced with them in new updates.

> Or can we just let it suffice to say that HN isn't a great place to promote products on random threads?

Personally I love seeing other HNers to send their relative products, projects, startups, commercial ideas, job ads in HN threads, I don't think there is anything wrong with that. You might think otherwise, that's why there is one upvote and one downvote button.

I have no position on whether he should mention his product in a news thread about SQLI, but he was responding directly to bjg, who said:

That product looks awfully similar to Metasploit ( http://www.metasploit.com/ ) , no?

How is it different?

So, his "comparison" was just responding to someone saying "Hos is it different?", literally.

Ferruh was simply responding to a direct question about how it was different. Sure, he's the author but a) he was asked. b) he's probably best suited.

Ferruh isn't running a matasano scale operation, he's doing it on his own, peldi style.

It's not inappropriate for him to discuss his product, nor to answer questions on it - this is a startup community after all. At what point did you become the HN comment police?

[1] http://www.dc4420.org

But, more to the point, how annoying would it be if every time I responded to a comment on HN, I added "this is one of the many things we take care of it you get us to review your applications"?

When threads are about products, I think it's fine --- helpful, even! --- to point out competing offerings and alternatives. But on news stories, let's just keep the commercial offerings off the threads.

If you don't like it, downvote it...but given that it has been upvoted some 15 times as of this writing, I think the community agrees that it provides some value.

Wow...talk about having a vested interest.

This is so unfortunate because now I have to double check grievances on HN to see who has a vested interests - which degrades the integrity of the community.

For someone with such high karma...this is so disappointing.

For what it's worth, I often disagree with tptacek and while I lack the HN celebrity status, I don't really care because in the real world he's just another guy on the other side of the world arguing on the Internet. I do think that he's not motivated by commercial greed in his commentary though, and on the whole his comments (while I've never met him personally) display a good level of honesty, integrity and community spirit.

Unfortunately in this case he's gone after someone who in my experience is the epitome of what HN should be encouraging - a guy in an industry, who's set up on his own, who has written and sells a product more or less solo that helps address the specific problem being discussed. If this was bingo cards noone would give patio11 any grief for talking about BCC. What's worse is that tptacek's company is several orders of magnitude bigger than Ferruh's and his services directly compete, but I don't think tptacek was thinking of this at the time of his post, and certainly not looking for any commercial advantage.

We are talking about the guy with the most karma points on HN - so he knows the culture - and we are talking about (presumably) someone that owns & runs his own company. So at the very least, ignoring that this guy is his competitor, given that he is the highest ranking member on HN (karma-wise aside from PG), he should be applauding someone that has taken the road he travelled earlier and built his wonderful firm that he is running today.

Yet he tears him a part, not on one instance - i.e. in a reply to one comment, but if you look through the thread there are MANY comments when he jumps on the guys back.

It's totally and completely unacceptable, for any HN member to deal with any non-trolling HN member like that. Regardless of karma points.

What makes it worse is that he has a vested interest. So the only rational excuse is that 2 + 2 = 4.

Why else would he betray the ethos & spirit of HN so blatantly ? Let the truth be told, it could very well be just that he was having a bad day or whatever it is - but given that this is a story closely related to his main bread and butter you would think that he would be extra cautious.

What he has done here, is the equivalent of PG ripping apart a plug by someone from TechStars or any of the other incubators (e.g. the program in Chile that I see pop-up here from time to time, or the one in Ireland or the UK most recently) when they come here to post a 'shameless plug'.

That would be very irresponsible for PG to do.

As I said, if it were someone else that was new to the community I could let it slide...but not for someone that is CLEARLY the most karma'd person here.

I think it is fair to say that Matasano is well known on HN - based on your valuable contributions to the community.

That is also why it was so disappointing to me - who has watched you add value to the community over the years - to see how you handled a seemingly 'innocuous' plug.

The modus operandi for dealing with those things is downvote and maybe one comment. But you not only likely downvoted but made MANY comments. Constantly attacking the guy.

It was clear that there was something else below the surface. I just didn't know what. I thought that perhaps you guys might have had beef or perhaps the OP might have been a known troll or something, but nothing in his history would indicate that he was trolling. He seemed to be legit.

So it was only when I looked at your profile that I was reminded of your affiliation with his competitor that it jumped out at me.

It was as if Bill Gates was here criticizing someone else for plugging their own OS - because it was 'inappropriate', when it was fully appropriate.

So I apologize if my calling it out offended you, but your conduct offended me and the sensibilities of this community.

I would be doing as much disservice to the community, if I sat on the sidelines and didn't say anything.

http://www.owasp.org/index.php/Blind_SQL_Injection

(I'm aware this may make impossible to use some web frameworks which rely on rdbms reflection, but I have the feeling this is not the case)

So yeah, it's the fault of the developers but it's also the fault of the people who aggressively marketed and evangelized MySQL and helped create the ditch they're just now digging themselves out of. It's a bit like the VB/Access culture Microsoft promoted back in the day, which generated some of the most hideous corporate apps I've ever seen. Yes, some developers are bad, but the company or group doing the evangelizing/marketing also needs to share some responsibility.

  BlogComment.find(:all, :conditions => ['email = ?', 'foo@bar.com'])

If you think stored procedures protect you against SQL injection, consider the following code snippet:

  sql_exec("CALL InsertBlogComment('" + get_parameter("text") + "')")

This means that every protocol client must implement their own query escaping, rather than relying on the database to provide a single, normative implementation of escaping.

> For example Ruby on Rails's ActiveRecord provides an API that looks a lot like it uses parameterization under the hood:

ActiveRecord's use of the non-parameterized APIs has led to a number of escaping/injection issues in the past eg, (http://www.ruby-forum.com/topic/152058, http://gsa.ca.com/vulninfo/vuln.aspx?id=36929, etc).

> If you think stored procedures protect you against SQL injection, consider the following code snippet ...

I believe the original poster was referring to the use of stored procedures as a mechanism for preventing or discouraging unintended direct modification of the database by applications, rather than SQL injection, specifically.

The examples you've provided of Rails SQLI issues are bad ones:

* The first is a discussion of SQLI in an interface designed to accept raw SQL; it's the ActiveRecord "back door" interface.

* The second is a discussion of SQLI in a context where parameterized queries don't work anyways (the MySQL protocol doesn't accept LIMIT and OFFSET arguments as anything but integer constants); it is also the simplest of the class of SQLI concern areas (you can solve it by blindly calling #to_i on your inputs), which also includes table names, sort orders, and column references.

The database is the normative reference on what is and is not a special cased character and how escaping should be implemented. I don't think it's reasonable to assert that escaping is a concern that should be adopted by every framework that might ever talk to a database.

The examples you've provided of Rails SQLI issues are bad ones

I'm sure you could supply some better examples since your focus is in security, and there are a vast number of issues that have arisen in ActiveRecord's escaping (especially in early versions of Rails). These are merely what I quickly found while Googling.

The first is a discussion of SQLI in an interface designed to accept raw SQL; it's the ActiveRecord "back door" interface.

It's also an interface that was repeatedly and unintentionally used by Rails users to insert unescaped queries in a way that did not immediately appear incorrect, as evidenced by the preponderance of questions on the subject.

The second is a discussion of SQLI in a context where parameterized queries don't work anyways (the MySQL protocol doesn't accept LIMIT and OFFSET arguments as anything but integer constants); it is also the simplest of the class of SQLI concern areas (you can solve it by blindly calling #to_i on your inputs), which also includes table names, sort orders, and column references.

Given that this conversation is occurring in the context of discussing how MySQL's design has led to exactly these types of errors, I think this is an applicable example.

I don't know how to respond to any of these points.

The discussion at hand is, "who's job is it to defend against SQLI, the database, the framework, or the application?".

Of those three components, the database is least well equipped to defend against SQLI. SQLI is "avenue for attacker to submit queries to a database contrary to the intentions of the application". The database's simple job is to accept and execute queries.

The last time I researched this, I started here:

http://www.google.com/search?sourceid=chrome&ie=UTF-8...

... would up and sources like this:

http://lists.rubyonrails.org/pipermail/rails/2004-December/0...

... and spent a good hour reading the Rails source code. My take away was that, historically, a lack of care coupled with a lack of use of the parameterized APIs left the door open to repeated failures in the implementation to protect against SQL injection.

Things have improved in Rails, but as a historical example of the pitfalls of ignoring/eschewing parameterized query APIs, I believe it to be quite valid.

The discussion at hand is, "who's job is it to defend against SQLI, the database, the framework, or the application?". Of those three components, the database is least well equipped to defend against SQLI. SQLI is "avenue for attacker to submit queries to a database contrary to the intentions of the application". The database's simple job is to accept and execute queries.

No, you're reframing the discussion. The original poster commented on MySQL's longtime begrudging support for parameterized queries (or lack thereof) as one of the major causes of the prevalence of SQL injection issues.

It seems clear to me that the database -- as the central implementation responsible for parsing queries -- is the best equipped to provide safe, correct string interpolation of those queries.

- In the first, the API design itself made it non-obvious/easy to directly concatenate strings while -- at a glance -- appearing to be correct.

- In the second, the API's implementation resulted in SQL injection because :limit and :offset arguments were not correctly escaped.

- In the third, the API's documentation and recommended usage (in 2004) encouraged users to use constructs that appeared to provide defense against SQL injection, but in reality, did not.

Sure, but it is unreasonable to assert that SQLI defense is not also a database issue.

Using the provided apis in a way that prevents SQLI is a framework concern. Providing apis that make that possible without re-implementing basic things like escaping is a database concern, otherwise you're just asking people to re-solve the same problems so they each get a chance to screw it up.

The SQL Injection vulnerability is, "user coerces application into submitting an unexpected and unauthorized query".

Blaming the database for that is like blaming the filesystem for pathname injection vulnerabilities.

It could, after all, send a Unix signal to a calling process when a filename contained "..", and demand that the process re-assert it's desire to really reference a different directory.

We may be spiraling here. Parameterized queries are a good thing. I'm glad MySQL has them. I'm not, however, going to wag a finger at MySQL every time someone finds an SQLI vulnerability in an app that uses MySQL, just because 6-7 years ago they didn't have parameterized queries. For one thing, it's not a useful comment (do you want them to implement parameterized queries... again?); for another, it's not particularly valid architectural point; and finally, it's really boring.

I guess part of it is that I'm just done watching various problems with MySQL (transaction support, parameterized queries, subqueries, bizarro query optimization) be given a pass as "not quite MySQL's problem". Maybe I'm just taking that out on this thread.

"You can solve it by blindly calling #h on your outputs"

Ouch. We know that scheme doesn't work too well: it's why we had #h and we now have #html_safe...

In case we're misunderstanding each other, I'm also saying that the framework should be doing that, not the caller (as was the case with h()).

MySQL is a crucial part of its own community. You cannot hold the community responsible for this situation while giving MySQL a pass.

I have. Usually from people with no idea what they're talking about, maybe one of us has been (un)lucky in our experience. Hopefully it's me.

> Their use in modern web apps is an industry best practice widely adopted across all the Internet apps Matasano gets to test.

That's great! How long has it been true, though? When I first learned PHP (2003), this was not mentioned. Maybe it existed, either in MySQL directly or as an api method, but it certainly wasn't widely advertised. Maybe looking all the way back to 2003 is stepping outside the scope of "modern" here, but I still occasionally get to deal with problems created back then.

> Your reaction here sounds hyperbolic, and the parent commenter is right: parameterized queries, while helpful, are neither required nor sufficient for defense against SQLI.

I'm sure it does, considering the differences in our experience of the situation.

Also, my point was not that parameterized queries are the end of SQLI defense or required for it. Just that you can't give MySQL as a company a pass on a situation they helped create. Parameterized queries are a very simple and common first step in learning to deal with SQL injection. Not implementing them for so long did not help the situation in this respect.

As for them being required -- you can obviously escape queries yourself, but the normative reference for escaping is the target database itself, and reproducing escaping locally in the client brings with it the likelihood of introducing an error in the custom implementation.

It is a bad idea for applications to implement quoting regimes, and it is a bad idea for frameworks to try to create one-size-fits-all quoting regimes like PHP used to. That doesn't mean it's a bad idea for a framework's e.g. MySQL support to provide the capability of sanitizing MySQL inputs under a common database API.

I'll resist the pot/kettle/colour connection here about plugging your own stuff on HN in a web app security thread. Agh, too late.

On a more serious note, if all the Internet apps Matasano test are using parameterized queries then:

a) Matasano never tests a MySQL-based app

AND

i) Matasano does very little web app testing these days

OR

ii) You're not quite telling us the truth

Seriously, parameterized queries while being a best practice so to speak are not a one size fits all solution and is not something implemented by everyone. The amount of shonky development practices we come across at my unnamed and unplugged company far outweighs the instances of the security aware, certainly on the first, second and sometimes third time round.

Today I'm testing a wordpress-based web app. A beer says that it's not using parameterized queries.

What?! Parameterized queries (in any competent implementation) ARE, in fact, injection protection mechanisms. Escaping != Parameterization.

Ruby on Rails is a poor example to use here - it's a trendy web language that (judging by your comment) does not use proper database practices.

Properly implemented parameterized queries offer protection against SQL injection because they seperate data from instruction - none of the data points in a query are executed, ever.

Gluing SQL instruction strings together with data from users is incredibly stupid and you should never, ever do that.

Use a framework that supports proper parameterized queries.

Given a properly parameterized query, where none of the parameters are ever evaluated, how do any user inputs remain unseperated from query structure?

One other thing - extensions like LIMIT can be parameterized also (shameless plug: our product ElevateDB can do it with its RANGE clause). It's a nice way of getting rid of this type of issue, and allows for easier pagination without having to force the database engine to constantly re-prepare the same query over and over again.

Parametrized queries help resolve the most common kinds of SQL injection, all the "yes but..." argue that it's not a blanket instrument that instantly should make you feel safe and no longer think about security/robustness. That's also true. Such a thing doesn't exist anyway.

Aside from implementing bound parameters (which is useful for more than just preventing sql injection), we usually recommend using stored procedures if at all possible.

It's really suboptimal to rely on the user to specify what table they're accessing.

Think of it as the difference between the language keeping loaded footguns under its pillow with the safety off and keeping unloaded footguns in a locked gun safe. One is a lot less likely to get used than the other, even if either one will shoot your foot just as well.

Last week I had to rewrite an import script to use mysql_query(), with mysql_real_escape_string() and quotes for every query variable.

One wonders what internal neglect MySQL is suffering behind the corporate veil.

The guys that write the actual database have nothing to with the web team. They didn't in MySQL days, they don't now.

Edit: It seems there are ways to work around server-side SQL parsing: http://www.xarg.org/2011/01/is-it-possible-to-avoid-query-pa...

I was thinking more about why it is allowed at all to send text-like SQL queries to a server. A binary protocol would both be simpler to handle and would have saved us from a lot of trouble.

Edit: If all client-side libs (for PHP, Python, etc.) would just use those [prepared statements](http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statem...), it would be like what I mean.

Edit: Ah, I was wrong (as I hoped): For Python: https://launchpad.net/oursql

Of course that does not help if you construct the entire query string as text before sending it to the server, which is how SQL injection most commonly happens.

Prepared statements should afford you a clean conscience because the values never make up part of the SQL query .. unless you are using a library that emulates it, and there are libraries out there that do, so don't assume anything.

"because not every input to every query can be bound as a variable" Can you give me an example?

"Some operations do require dynamic query construction." what does that have to do with prepared queries?

var sql = "select * from User where UserType=@ut order by ModificationDate " + sort_order;

In this case, if sort_order directly comes from a 'asc'/'desc' radio button then you have an injection attack.

The correct way to do it would be:

var sql = "select * from User where UserType=@ut order by ModificationDate " + (sort_order=="asc"?"asc":"desc");

The point was that there are some parts of sql that can't be parameterized like sort order or limits on the resultant recordset. Although, ideally support for those things should be coming from your database vendor (if it isn't already there).

For example, SqlServer supports using variables in top expressions: select top(@max) * from ....

Recommended exercise: implement the MySQL wire protocol. It took me a couple hours a few years ago. It's not hard. Do it, come back, and then see if you still think the same things about SQLI defenses.

    Select(args=["name", "id"], from="students")

But in case someone really wants to keep the language, you could still do the parsing inside of the lib and thus for example disallow multiple commands in one statement and then only send some binary representation to the server (mostly like Prepared Statements in MySQL). Whereby I think that this step is obsolete and would in any way produce further problems.

Btw., this is not exactly like NoSQL what I am talking about here.

But the implementation of it is actually again the error-prone and slow way to generate a SQL-statement from that, then send that to MySQL and MySQL parses it back to get the original structure.

I actually want to complete avoid that step to generate an SQL statement.

1. It would be much cheaper and faster. Right now, you are: constructing a string first, doing some escaping, then sending this more bloated pure-text query to the server, then parse the SQL language, unescape, convert back into some machine representation. I.e.

a) Most of this extra handling (escaping, string-conversions, parsing) would go away. b) Less data need to be send around.

2. It would actually make SQL injections impossible and thus solve all these problems.

It's not pointless to discuss how query languages can be made simpler to parse and thus less susceptible to injection, but the technique isn't foolproof and is (obviously) expensive; meanwhile, the proper defense against SQLI (being mindful about query inputs, and using the framework to abstract and normalize dynamic queries) is available today and works well.

Maybe we misunderstood a bit. For example, take a look at the [new Redis 2.0 protocol](http://redis.io/topics/protocol). In this protocol, injections are simply impossible. This may not be the best example because you don't really have more complicated queries but you could just do the same for tree-like structures.

Can you say when/where I could read about that?

https://github.com/ahiguti/HandlerSocket-Plugin-for-MySQL

SQL is text. Also no one is sending a query to the server. It's a value that is embedded into the SQL query that circumvents it.

So they unnecessarily had a lot of people's username/passwords for absolutely no good reason.

I hate sites that require logins. Though apparently this one had a way around it, lots don't, and many of them are already in bugmenot. If not, add a mailinator-based account for others :)

But I agree. Most of the time, I prefer PostgreSQL.

I wonder if the timing on this has anything to do with Oracle's continued dismantling of the useful parts of the MySQL website.