Monday, September 14, 2009

Sql Injection – Find vulnerable code

You should review stored procedures that use dynamic sql for security vulnerabilities.

Here is a Sql statement that can be used to list all stored procedures that use some form of the Exec command. These should be reviewed to determine if any security vulnerabilities exist.

SELECT object_Name(id) FROM syscomments
WHERE UPPER(text) LIKE '%EXECUTE  (%'
OR UPPER(text) LIKE '%EXECUTE  (%'
OR UPPER(text) LIKE '%EXECUTE   (%'
OR UPPER(text) LIKE '%EXECUTE    (%'
OR UPPER(text) LIKE '%EXEC (%'
OR UPPER(text) LIKE '%EXEC  (%'
OR UPPER(text) LIKE '%EXEC   (%'
OR UPPER(text) LIKE '%EXEC    (%'
OR UPPER(text) LIKE '%SP_EXECUTESQL%'

And here is some good information about Sql Injection that a friend pointed out to me:
http://www.sommarskog.se/dynamic_sql.html#SQL_injection

No comments: