Sunday, June 1, 2008

Hot SQL Injection

Normally when we think of SQL Injection attacks, we think about web applications, because this is usually where they raise their ugly head. But although this is the standard vector for SQL injection, we SSIS developers need to understand that there is danger in our ETL applications as well.

One of the techniques many SSIS developers (and I count myself in this group) often use is basing a package variable on an expression, and having that expression build SQL statements based on the values of other variables in the package. The risk comes in, of course, because if these "input variables" contain malicious text, they can create the same type of vulnerability as if the text were entered through a web form. So please, make sure that you understand what vectors for input exist, and that they are as secured as possible. Certainly the nature of most SSIS applications reduces their attack surface, but any time you're constructing a SQL string dynamically, some vulnerability exists.

I mention this today because the Microsoft Security Vulnerability Research & Defense blog had a great post a few days ago going into SQL injection in great detail. There's nothing SSIS-specific in there, but it should still be considered required reading for SSIS package developers who use this technique. Just because our ETL applications don't generally have a GUI, that doesn't mean we don't need to be concerned about poisoned input data.

Now, I should go back and finish watching The Breakfast Club...

No comments: