RE: SQL Injection Legalities

From: Wolf, Glenn (glenn.wolf@we-inc.com)
Date: 07/18/02 

From: "Wolf, Glenn" <glenn.wolf@we-inc.com>
To: vuln-dev@security-focus.com
Date: Thu, 18 Jul 2002 10:11:04 -0700

This was being discussed as a legal issue in pen-test, but I was curious if
anyone else has thought of using SQL Injection to cause a DoS.

The search box could be used to extend the SQL query to include something
like this:

SELECT product_id, product_name
FROM product
WHERE product_name like '%bicycle%'''
OR product_name in (SELECT product_name
                        FROM product AS p1,
                               product AS p2,
                               product AS p3,
                               product AS p4)
OR product_name = ''

where everything after the first OR is the SQL Injection. The second OR is
only to maintain a valid SQL statement (assuming the final character in the
query will be a single quote).

The DoS is in the inner query, and caused by the cartesian product (joining
all tables in every possible combination) generated by the query. If the
PRODUCT table only has 1,000 rows, the inner query will generate
1,000x1,000x1,000x1,000 rows, or 1 trillion rows. A larger product table or
more aliased references to it would generate an even larger result set.

This will most likely cause the database to a) Use up all available CPU
resources, b) Use disk resources in temp space and swapping.

In a web environment, even with many front-end load-balancing web servers,
there is typically only one database. DoS-ing the database effectively
DoS's all web users utilizing any kind of database function (search,
ordering, etc.).

As an Oracle DBA, I've seen this scenario caused by developers accidentally
forgetting a join, and I've also seen LARGE production websites go down
simply because there is too much load on the back-end database.

As far as mitigation goes, there are parameters that can be set at a user-
or profile-level to lower the execution priority of certain queries, or to
limit query run-time, but in most cases, these are not set.

Glenn

-----Original Message-----
From: Quickfinger [mailto:junk@quickfinger.com]
Sent: Wednesday, July 17, 2002 4:12 PM
To: Deus, Attonbitus
Cc: Pen-Test
Subject: Re: SQL Injection Legalities

I am not a lawyer, but I do remember reading an article that used a
very similar example. I believe this is illegal in California and I
would not be surprised to hear that it's illegal in Oregon. Most
likely this depends on the state, probably the state in which the
server resides.

I too am interested in hearing from a lawyer if there is on one this
list.

D. Joe Royer II, CCNA, CISSP

On Wed, 17 Jul 2002, Deus, Attonbitus wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I hesitate asking the group about law, but here goes:
>
> Lets say a site gives you the capability to search their product-base via
a
> web input box. You know, the standard search/submit deal.
>
> You type in "bicycle" and it gives you everything that starts with
> "bicycle." Simple enough. As we all know, web app susceptibility to SQL
> injects runs amok; lets say in this case that instead of typing "bicycle,"
> I type "bicycle' or 1=1--" and get all the products. Have I broken the
> law? More specifically, have I broken the law in the US?
>
> One could argue that the site is allowing me to specify what I want to
see,
> and all I am doing is typing in what I want... Though the developer may
> not have intended for me to pull up the data like that, does my doing so
> constitute a crime?
>
> I'm not looking for ethical or moral debate here, I am hoping someone has
> some distinct legal experience who knows. Thanks.
>
> AD
>