Testing for SQL Wildcard Attacks (OWASP-DS-001)

Revision as of 06:03, 26 May 2008 by Fmavituna (Talk | contribs)

Jump to: navigation, search

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

This is a draft of a section of the new Testing Guide v3

Brief Summary

SQL Wildcard Attacks are about forcing the underlying database to carry out CPU intensive queries by using several wildcards. This vulnerability generally exists in search functionalities of the web applications. Successful exploitation of this attack will cause Denial of Service.

Description of the Issue

SQL Wildcard attacks might affect all database back-ends but mainly affects SQL Server because of MS SQL Server LIKE operator supportssome extra wildcards such as "[]","[^]","_" and "%".

In a typical web application if you were to enter "foo" into the search box, the resulting SQL query might be:
SELECT * FROM Article WHERE Content LIKE '%foo%'

In a decent database with 1-100000 records the query above will take less than a second. The following query, in the very same database, will take about 6 seconds with only 2600 records.

SELECT TOP 10 * FROM Article WHERE Content LIKE '%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]_%'

So, if an attacker wanted to tie up the CPU for 6 seconds they would enter the following to the search box:

Black Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:

Example Attack Inputs

  • '%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]_%'
  • '%64_[^!_%65/%aa?F%64_D)_(F%64)_%36([)({}%33){()}£$&N%55_)$*£()$*R"_)][%55](%66[x])%ba][$*"£$-9]_%54' bypasses modsecurity
  • _[r/a)_ _(r/b)_ _(r-d)_
  • %n[^n]y[^j]l[^k]d[^l]h[^z]t[^k]b[^q]t[^q][^n]!%

Gray Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:



Testing can be done manually. Also a fuzzer can employed to automate the process.