{"id":532,"date":"2009-06-30T08:34:00","date_gmt":"2009-06-30T08:34:00","guid":{"rendered":"\/blogs\/kimberly\/post\/Looking-for-security-vulnerabilities-in-database-code.aspx"},"modified":"2013-01-11T23:11:05","modified_gmt":"2013-01-12T07:11:05","slug":"looking-for-security-vulnerabilities-in-database-code","status":"publish","type":"post","link":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/looking-for-security-vulnerabilities-in-database-code\/","title":{"rendered":"Looking for security vulnerabilities in database code"},"content":{"rendered":"<p>\nI&#39;ve always been concerned with security and I&#39;ve always stressed the importance of auditing the REAL user context not just the current user (see <a href=\"https:\/\/www.sqlskills.com\/blogs\/kimberly\/execute-as-and-an-important-update-your-ddl-triggers-for-auditing-or-prevention\/\" target=\"_blank\">this post<\/a> on EXECUTE AS and auditing). So, I generally try to avoid using dynamic string execution and if necessary create well tested\/protected parameters (fyi &#8211; using QUOTENAME can be a fantasic solution to protectng identifiers as input parameters but it can&#39;t protect more complex strings).\n<\/p>\n<p>\nHaving said that, what if I&#39;m looking at a database for the first time&#8230; just poking around trying to see if there&#39;s anything that needs further attention? I&#39;ve come up with a quick query&#8230; And, while it&#39;s not going to &quot;solve&quot; your problem (as that&#39;s going to take some re-writing of code) or even <em>truly <\/em>verify if you&#39;re vulnerable, it gives you a &quot;quick list&quot;&nbsp;of where you should look first! If&nbsp;your code uses dynamic strings AND it&#39;s elevated &#8211; then&nbsp;start there!&nbsp;\n<\/p>\n<p><font size=\"5\" color=\"#0000ff\"><font size=\"5\" color=\"#0000ff\"><\/p>\n<blockquote>\n<p>\n\tSELECT <font color=\"#ff00ff\"><font color=\"#ff00ff\">OBJECT_NAME<font color=\"#808080\"><font color=\"#808080\">(<font color=\"#ff00ff\"><font color=\"#ff00ff\">object_id<font color=\"#808080\"><font color=\"#808080\">) <font color=\"#0000ff\"><font color=\"#0000ff\">AS [Procedure Name]<font color=\"#808080\"><font size=\"2\" color=\"#808080\">,<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp; CASE<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp;&nbsp;&nbsp; &nbsp; WHEN sm<font color=\"#808080\"><font color=\"#808080\">.<font color=\"#0000ff\"><font color=\"#0000ff\">definition <font color=\"#808080\"><font color=\"#808080\">LIKE <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;%EXEC (%&#39; <font color=\"#808080\"><font color=\"#808080\">OR sm<font color=\"#808080\"><font color=\"#808080\">.<font color=\"#0000ff\"><font color=\"#0000ff\">definition <font color=\"#808080\"><font color=\"#808080\">LIKE <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;%EXEC(%&#39; <font color=\"#0000ff\"><font color=\"#0000ff\">THEN <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;WARNING: code contains EXEC&#39;<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WHEN sm<font color=\"#808080\"><font color=\"#808080\">.<font color=\"#0000ff\"><font color=\"#0000ff\">definition <font color=\"#808080\"><font color=\"#808080\">LIKE <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;%EXECUTE (%&#39; <font color=\"#808080\"><font color=\"#808080\">OR sm<font color=\"#808080\"><font color=\"#808080\">.<font color=\"#0000ff\"><font color=\"#0000ff\">definition <font color=\"#808080\"><font color=\"#808080\">LIKE <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;%EXECUTE(%&#39; <font color=\"#0000ff\"><font color=\"#0000ff\">THEN <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;WARNING: code contains EXECUTE&#39;<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp; END <font color=\"#0000ff\"><font color=\"#0000ff\">AS [Dynamic Strings]<font color=\"#808080\"><font size=\"2\" color=\"#808080\">,<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp; CASE<br \/>\n\t&nbsp;&nbsp;&nbsp; &nbsp; <font color=\"#0000ff\"><font color=\"#0000ff\">WHEN execute_as_principal_id <font color=\"#808080\"><font color=\"#808080\">IS <font color=\"#808080\"><font color=\"#808080\">NOT <font color=\"#808080\"><font color=\"#808080\">NULL <font color=\"#0000ff\"><font color=\"#0000ff\">THEN <font color=\"#ff0000\"><font color=\"#ff0000\">N&#39;WARNING: EXECUTE AS &#39; <font color=\"#808080\"><font color=\"#808080\">+ <font color=\"#ff00ff\"><font color=\"#ff00ff\">user_name<font color=\"#808080\"><font color=\"#808080\">(execute_as_principal_id<font color=\"#808080\"><font color=\"#808080\">)<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ELSE <font color=\"#ff0000\"><font color=\"#ff0000\">&#39;Code to run as caller &#8211; check connection context&#39;<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">&nbsp; END <font color=\"#0000ff\"><font color=\"#0000ff\">AS [Execution Context Status]<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">FROM <font color=\"#008000\"><font color=\"#008000\">sys<font color=\"#808080\"><font color=\"#808080\">.<font color=\"#008000\"><font color=\"#008000\">sql_modules <font color=\"#0000ff\"><font color=\"#0000ff\">AS sm<br \/>\n\t<font color=\"#0000ff\"><font color=\"#0000ff\">ORDER <font color=\"#0000ff\"><font color=\"#0000ff\">BY [Procedure Name]\n\t<\/p>\n<\/blockquote>\n<p>\nIs this enough? Anything else you&#39;d check? What do you think?\n<\/p>\n<p>\nTHANKS!<br \/>\nkt<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#39;ve always been concerned with security and I&#39;ve always stressed the importance of auditing the REAL user context not just the current user (see this post on EXECUTE AS and auditing). So, I generally try to avoid using dynamic string execution and if necessary create well tested\/protected parameters (fyi &#8211; using QUOTENAME can be a [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,59,62,65,66],"tags":[],"class_list":["post-532","post","type-post","status-publish","format-standard","hentry","category-dynamic-string-execution","category-security","category-sp_executesql","category-sql-server-2005","category-sql-server-2008"],"_links":{"self":[{"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/posts\/532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/comments?post=532"}],"version-history":[{"count":0,"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/posts\/532\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/media?parent=532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/categories?post=532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sqlskills.com\/blogs\/kimberly\/wp-json\/wp\/v2\/tags?post=532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}