s web application security breaches and attempts rise, developers are increasingly being asked to take more responsibility for the security of their applications, and application framework vendors are building more robust security features into their platform software. Many developers have learned that the most effective way to build secure applications and prevent damaging attacks is to design and implement the applications securely from the beginning. Unfortunately, development teams often lack the training and resources to make educated design decisions about application security.
As developers assume more of the security burden, the first web application vulnerability that many developers learn about is a particularly dangerous form of command injection known as SQL injection. Command injection in its archetypal form is any vulnerability that allows an attacker to run an unintended command on your server by providing unanticipated input that alters the way you intended the web application to run. Because it's so well-known, SQL injection attacks are common, dangerous, and pervasive. Fortunately, you can prevent SQL injection easily once you understand the problem. Even better, a new Microsoft data access technology offers .NET developers the opportunity to eliminate SQL injection vulnerabilities altogetherwhen used properly. That technology is called Language Integrated Query (LINQ), and it will ship in the upcoming release of Visual Studio "Orcas" and .NET Framework 3.5. This article explores LINQ's potential for hardening your web application's data access code so that it's impossible to attack through SQL Injection.
SQL injection is a type of web application security vulnerability whereby an attacker supplies malicious data to the application, tricking it into executing unanticipated SQL commands on the server. These attacks are fairly easy to prevent, but they're also both common and pernicious because they allow attackers to run database commands directly against your production data. In the most extreme cases, attackers can not only gain unfettered access to all of your data, but can also drop tables and databases or even gain control of the database server itself.
If these attacks are easy to prevent, then why are they so dangerous? First, your application database is a very attractive target for obvious reasons and garners a lot of attention from attackers. When SQL injection is possible in a web application, it is very easy for an attacker to detect it and to then exploit it. So it stands to reason that even if SQL injection mistakes are not the most frequent security mistakes made by developers, they very well may be the most frequently uncovered and exploited in the wild.
One easy way to detect SQL injection vulnerability is to insert a meta character into an input that you know an application will use to craft a database access statement. For example, on any web site that contains a search input field, an attacker can input a database meta character such as a tick mark (') and click the Search button to submit the input. If the application returns a database error message, the attacker not only knows that he has found a database-driven portion of the application, but also that he may be able to inject more meaningful commands and have your server execute them. Application security researcher Michael Sutton recently emphasized the ease of discovering web applications vulnerable to SQL injection by identifying hundreds of potentially vulnerable sites in a matter of minutes using the Google search API .