Lateral SQL injection

Anna Kotulla

Abstract


One of the methods to attack through the web applications with a database in the data layer is the injection of SQL code, which is transferred from the application to the database. A new technique of SQL injection, the lateral SQL injection, is discussed in this paper. This paper describes also the methods to protect again this kind of SQL injection.

Keywords


database; security; SQL injection

Full Text:

PDF (Polski)

References


Anley Ch.: Advanced SQL Injection In SQL Server Applications. An NGSSoftware Insight Security Research (NISR) Publication. Next Generation Security Software Ltd., 2002.

Anley Ch.: (more) Advanced SQL Injection. An NGSSoftware Insight Security Research (NISR) Publication. Next Generation Security Software Ltd., 2002.

Finnigan P.: Lateral SQL Injection needs no database privileges, Pete Finnigan's Oracle security weblog, 2008. http://www.petefinnigan.com/weblog/archives/00001190.htm (sprawdzono 20.01.2009).

Kost S.: An Introduction to SQL Injection Attacks for Oracle Developers. Integrity Corporation. Chicago 2004.

Kotulla A.: Przegląd zagrożeń dla systemów baz danych oraz sposoby ochrony. Konferencja Naukowa Bazy Danych: Aplikacje i Systemy, Wydawnictwa Naukowo-Techniczne, Warszawa 2008.

Kotulla A.: Zaawansowane metody manipulacji kodu SQL. Konferencja Naukowa Bazy Danych: Aplikacje i Systemy, Wydawnictwa Naukowo-Techniczne, Warszawa 2008.

Litchfield D.: Data-mining with SQL Injection and Interference. An NGSSoftware Insight Security Research (NISR) Publication. Next Generation Security Software Ltd., 2005.

Litchfield D., Anley Ch., Haesman J., Grindlay B.: The Database Hacker's Handbook, Defending Database Servers. Wiley Publishing, Inc., Indianapolis 2005.

Litchfield D.: Lateral SQL Injection: A New Class of Vulnerability in Oracle, An NGSSoftware Insight Security Research (NISR) Publication, 2008.

Litchfield D.: 07/18/2008: Lateral SQL Injection Revisited - No Special Privs Required, David Litchfield's Weblog, 2008. URL: http://www.davidlitchfield.com/blog/archives/00000044.htm (sprawdzono 20.01.2009).

Litchfield D.: Dangling Cursor Snarfing: A New Class of Attack in Oracle. An NGSSoftware Insight Security Research (NISR) Publication. Next Generation Security Software Ltd., 2006.

Sharma P.: SQL Injection Techniques & Countermeasures. Department of Information.

Oracle: How to write SQL injection proof PL/SQL, An Oracle White Paper, 2008.

Oracle: Oracle(r) Database PL/SQL Packages and Types Reference 11g Release 1, Part Number B28419-03, URL: http://download.oracle.com/docs/cd/B28359_01/appdev.111/b28419/index.htm (sprawdzono 19.01.2009).




DOI: http://dx.doi.org/10.21936/si2009_v30.n2B.463