Brad Sarsfield here again. I’d like to share with you my thoughts on David Litchfield’s BlueHatv3 talk. David Litchfield is the Chief Research Scientist at Next Generation Security Software (NGS) and spoke to a 600+ standing room only crowd at Bluehat 3 on March 9th. David took us through his thoughts on the current state of the database security world and talked about his current areas and focus of his research.
David did not discuss specific database vulnerabilities but rather showed the concepts behind subverting the database application logic to attack the database. David talked about SQL injection inside the database and also second order SQL injection inside the database; whereby you store data in the database and at a later time it gets used in a place vulnerable to SQL injection.
David talked through the possible dangers of having system stored procedures and triggers that could be vulnerable to SQL injection. Since triggers execute under the permissions of the owner; if one can find a trigger that is vulnerable to SQL injection the permission boundaries can be crossed and it be used to gain escalation of privileges inside the database.
If you have access to the database and if you have a SQL injection vulnerability in a stored procedure or trigger that runs outside of your permission boundary a malicious user could use the vulnerable SP’s to grant themselves privileges that they are not supposed to have.
A the end of the day
1) Tools are not enough. Your database and application design need to have clear forethought. Tools are a good start but don’t rely on them to catch all of your mistakes. (That's exactly what our own security experts have been telling us)
2) Triggers can be dangerous. Think about how you use them carefully.
3) Even low risk issues should be respected
If you’re interested in David Litchfield’s work I would highly suggest a book that he co-authored titled “The Database Hacker's Handbook: Defending Database Servers” (ISBN: 0764578014)