Page 615 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 615

transactions directly against the underlying database. SQL injection
               attacks might enable an attacker to bypass authentication, reveal

               confidential data from database tables, change existing data, add new
               records into the database, destroy entire tables or databases, and even
               gain command line–like access through certain database capabilities
               (such as command shell stored procedures).

               You can use two techniques to protect your web applications against
               SQL injection attacks.

               Perform input validation. Input validation lets you limit the types
               of data a user provides in a form. There are numerous variations of

               input injection or manipulation attacks that require a broad-spectrum
               defense approach, including whitelisting and blacklisting filters. The
               primary forms of input sanitization that should be adopted include
               limiting the length of input, filtering on known malicious content
               patterns, and escaping metacharacters.

               Limit account privileges. The database account used by the web

               server should have the smallest set of privileges possible. If the web
               application needs only to retrieve data, it should have that ability only.



                  Metacharacters


                  Metacharacters are characters that have been assigned special
                  programmatic meaning. Thus, they have special powers that
                  standard, normal characters do not have. There are many common

                  metacharacters, but typical examples include single and double
                  quotation marks; the open/close square brackets; the backslash;
                  the semicolon; the ampersand; the caret; the dollar sign; the
                  period, or dot; the vertical bar, or pipe symbol; the question mark;
                  the asterisk; the plus sign; open/close curly braces; and open/close

                  parentheses: ‘ “ [ ] \ ; & ^ $ . | ? * + { } ( )
                  Escaping a metacharacter is the process of marking the

                  metacharacter as merely a normal or common character, such as a
                  letter or number, thus removing its special programmatic powers.
                  This is often done by adding a backslash in front of the character
                  (\&), but there are many ways to escape metacharacters based on
   610   611   612   613   614   615   616   617   618   619   620