Simon Willison’s Weblog

Subscribe
Atom feed for sql-injection

6 items tagged “sql-injection”

2024

SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level (via) PDF slides from a presentation by Paul Gerste at DEF CON 32. It turns out some databases have vulnerabilities in their binary protocols that can be exploited by carefully crafted SQL queries.

Paul demonstrates an attack against PostgreSQL (which works in some but not all of the PostgreSQL client libraries) which uses a message size overflow, by embedding a string longer than 4GB (2**32 bytes) which overflows the maximum length of a string in the underlying protocol and writes data to the subsequent value. He then shows a similar attack against MongoDB.

The current way to protect against these attacks is to ensure a size limit on incoming requests. This can be more difficult than you may expect - Paul points out that alternative paths such as WebSockets might bypass limits that are in place for regular HTTP requests, plus some servers may apply limits before decompression, allowing an attacker to send a compressed payload that is larger than the configured limit.

How Web Apps Handle Large Payloads. Potential bypasses: - Unprotected endpoints - Compression - WebSockets (highlighted) - Alternate body types - Incrementation.  Next to WebSockets:  - Compression support - Large message size - Many filters don't apply

# 12th August 2024, 3:36 pm / postgresql, sql-injection, security, mongodb, websockets, http

2022

Prompt injection attacks against GPT-3

Visit Prompt injection attacks against GPT-3

Riley Goodside, yesterday:

[... 1,457 words]

2012

What are the best practices to avoid XSS and SQL Injections attacks (platform agnostic)?

Input validation is, in my opinion, a red herring. Sure—if you ask the user for an integer or date you should make sure they entered one before attempting to save it anywhere or use it for processing, but injection attacks often involve text fields (e.g. names, or comments posted on Quora) and validating those on input is a recipe for banning “Tim O’Reilly” from ever creating a proper profile on your site!

[... 316 words]

2009

For those who haven't heard the story the details were pulled from a Christian dating site db.singles.org which had a query parameter injection vulnerability. The vulnerability allowed you to navigate to a person's profile by entering the user id and skipping authentication. Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.

rossriley on Hacker News

# 23rd August 2009, 10:10 am / security, sql-injection, passwords

2008

How one site dealt with SQL injection attack (via) Horrifying story of developer incompetence from Autoweb: “The contractor had no idea how to find and fix the Web page vulnerability that allowed the SQL injection attack code to execute successfully.”

# 2nd May 2008, 9:01 pm / sql-injection, security, incompetence, autoweb

Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised.

# 26th April 2008, 9:12 am / iis, massattack, security, sql-injection, xss, sqlserver, sql