Databases Reference
In-Depth Information
database auditing or tracing. The main reason is performance, because hav-
ing the database log all of this information does affect the performance of
the database, whereas using an external passive tool will not affect the per-
formance. Another interesting twist when using the database to create the
trace (in SQL Server) is that SQL injection involving any comment that
includes the string sp_password has a side effect called
audit evasion
. If you
use one of the sp_trace<..> functions for logging the information and the
injected command includes a line comment using
--
followed by the string
sp_password anywhere in the comment right after the “
--
”, then the trace
will not include the query!
Let's look at an example. Suppose I have a trace on DBCC events. If I
run a DBCC TRACEON(3205) command the trace will produce a record
such as:
Audit DBCC Event
DBCC TRACEON (3205)
SQL Query Analyzer
ronb
RON-SNYHR85G9DJ\ronb
3936
51
2005-02-14 01:38:37.560
However, if I run a command of the form:
DBCC TRACEON(3205) -- this means nothing, but let's say sp_password
Then I will get the following record in the trace:
Audit DBCC Event
-- 'sp_password' was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
SQL Query Analyzer
ronb
RON-SNYHR85G9DJ\ronb
3936
51
2005-02-14 01:40:46.170
Once you have the baseline, you can proceed to check whether the data-
base login being used by the application is really limited in its privileges to
the minimal set required for correct application behavior. Most commonly
you will find that this is not so—the application login can do much more
than it really does. Assuming you can trust the logging that you've just com-
pleted and you think it is complete, limiting the privileges further based on
Search WWH ::
Custom Search