계: Input Validation and Representation

입력 검증 및 표현 문제는 메타 문자, 대체 인코딩 및 숫자 표현 때문에 발생합니다. 보안 문제는 입력을 신뢰하기 때문에 발생합니다. 문제로는 "Buffer Overflows", "Cross-Site Scripting" 공격, "SQL Injection", 그 외 여러 가지가 있습니다.

SQL Injection: PartiQL

C#/VB.NET/ASP.NET
Java/JSP

Abstract

신뢰할 수 없는 소스에서 나온 입력을 받아 동적으로 PartiQL 문을 생성하면 공격자가 해당 문의 의미를 수정하거나 임의의 PartiQL 명령을 실행할 수 있습니다.

Explanation

SQL Injection: PartiQL 문제는 다음과 같은 경우에 발생합니다.

1. 신뢰할 수 없는 소스의 데이터가 프로그램에 입력됩니다.

2. 데이터를 사용하여 PartiQL 쿼리를 동적으로 생성합니다.
예제 1: 다음 코드는 지정한 이름과 일치하는 항목을 검색하기 위한 PartiQL 쿼리를 동적으로 생성하고 실행합니다. 쿼리는 표시되는 항목을 항목 owner가 현재 인증된 사용자의 이름과 일치하는 항목으로 제한합니다.


...
string userName = identity.User;
string itemName = apiGatewayProxyRequest.QueryStringParameters['item'];
string statement = $"SELECT * FROM items WHERE owner = '{userName}' AND itemname = '{itemName}'";

var executeStatementRequest = new ExecuteStatementRequest();
executeStatementRequest.Statement = statement;
var executeStatementResponse = await dynamoDBClient.ExecuteStatementAsync(executeStatementRequest);
return displayResults(executeStatementResponse.Items);
...

이 쿼리는 다음 코드를 실행하려고 합니다.


	SELECT * FROM items
	WHERE owner = <userName>
	AND itemname = <itemName>;

하지만 상수인 기본 쿼리 문자열과 사용자 입력 문자열을 연결하여 쿼리를 동적으로 생성하기 때문에, 쿼리는 itemName에 작은따옴표가 들어 있지 않은 경우에만 정확하게 동작합니다. 사용자 이름이 wiley인 공격자가 itemName에 문자열 name' OR 'a'='a를 입력하면 쿼리는 다음과 같이 생성됩니다.


	SELECT * FROM items
	WHERE owner = 'wiley'
	AND itemname = 'name' OR 'a'='a';

OR 'a'='a' 조건을 추가하면 where 절이 항상 true로 평가되기 때문에 쿼리는 훨씬 단순한 다음 쿼리와 논리적으로 동일하게 됩니다.

SQL Injection 공격을 방지하는 한 가지 기존의 접근 방식은 공격을 입력값 검증 문제로 처리하고 안전한 값의 허용 목록의 문자만 받거나 악의적일 가능성이 있는 값 목록(거부 목록)을 식별하여 이스케이프 처리하는 것입니다. 허용 목록을 확인하는 것은 엄격한 입력값 검증 규칙을 이행하는 매우 효율적인 수단이 되기도 하지만, 매개 변수가 있는 SQL 문은 유지 관리가 쉽고 보다 강력한 보안을 제공할 수 있습니다. 대부분의 경우 거부 목록을 구현하는 것은 SQL Injection 공격 방지의 효과를 떨어뜨리는 허점이 아주 많습니다. 예를 들어, 공격자는 다음과 같이 할 수 있습니다.

- 따옴표로 묶지 않은 필드를 노립니다.
- 이스케이프 처리된 메타 문자를 사용할 필요가 없는 방법을 찾습니다.
- 저장 프로시저(Stored procedure)를 사용하여 삽입된 메타 문자를 숨깁니다.

PartiQL 쿼리에 입력할 때 수동으로 문자를 이스케이프 처리하는 방법도 있지만 이것으로 PartiQL Injection 공격으로부터 응용 프로그램을 보호할 수는 없습니다.

References

[1] S. J. Friedl SQL Injection Attacks by Example

[2] P. Litwin Stop SQL Injection Attacks Before They Stop You MSDN Magazine

[3] P. Finnigan SQL Injection and Oracle, Part One Security Focus

[4] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press

[5] PartiQL - A SQL-Compatible Query Language for Amazon DynamoDB

[6] Standards Mapping - Common Weakness Enumeration CWE ID 89

[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089

[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089

[12] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754

[14] Standards Mapping - FIPS200 SI

[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[21] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[22] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[23] Standards Mapping - OWASP Top 10 2010 A1 Injection

[24] Standards Mapping - OWASP Top 10 2013 A1 Injection

[25] Standards Mapping - OWASP Top 10 2017 A1 Injection

[26] Standards Mapping - OWASP Top 10 2021 A03 Injection

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[39] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089

[40] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089

[41] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089

[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[64] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)

[65] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection

desc.dataflow.dotnet.sql_injection_partiql

Abstract

Explanation


...
String userName = identity.getUser();
String itemName = apiGatewayProxyRequest.getQueryStringParameters('item');
String statement = String.format("SELECT * FROM items WHERE owner = '%s' AND itemname = '%s'", userName, itemName);
ExecuteStatementRequest executeStatementRequest = new ExecuteStatementRequest();
executeStatementRequest.setStatement(statement);
ExecuteStatementResponse executeStatementResponse = dynamoDBClient.executeStatement(executeStatementRequest);
return displayResults(executeStatementResponse.items());
...

이 쿼리는 다음 코드를 실행하려고 합니다.


	SELECT * FROM items
	WHERE owner = <userName>
	AND itemname = <itemName>;


	SELECT * FROM items
	WHERE owner = 'wiley'
	AND itemname = 'name' OR 'a'='a';

OR 'a'='a' 조건을 추가하면 where 절이 항상 true로 평가되기 때문에 쿼리는 훨씬 단순한 다음 쿼리와 논리적으로 동일하게 됩니다.
SQL Injection 공격을 방지하는 한 가지 기존의 접근 방식은 공격을 입력값 검증 문제로 처리하고 안전한 값의 허용 목록의 문자만 받거나 악의적일 가능성이 있는 값 목록(거부 목록)을 식별하여 이스케이프 처리하는 것입니다. 허용 목록을 확인하는 것은 엄격한 입력값 검증 규칙을 이행하는 매우 효율적인 수단이 되기도 하지만, 매개 변수가 있는 SQL 문은 유지 관리가 쉽고 보다 강력한 보안을 제공할 수 있습니다. 대부분의 경우 거부 목록을 구현하는 것은 SQL Injection 공격 방지의 효과를 떨어뜨리는 허점이 아주 많습니다. 예를 들어, 공격자는 다음과 같이 할 수 있습니다.

- 따옴표로 묶지 않은 필드를 노립니다.
- 이스케이프 처리된 메타 문자를 사용할 필요가 없는 방법을 찾습니다.
- 저장 프로시저(Stored procedure)를 사용하여 삽입된 메타 문자를 숨깁니다.

PartiQL 쿼리에 입력할 때 수동으로 문자를 이스케이프 처리하는 방법도 있지만 이것으로 PartiQL Injection 공격으로부터 응용 프로그램을 보호할 수는 없습니다.

References

[1] S. J. Friedl SQL Injection Attacks by Example

[2] P. Litwin Stop SQL Injection Attacks Before They Stop You MSDN Magazine

[3] P. Finnigan SQL Injection and Oracle, Part One Security Focus

[4] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press

[5] PartiQL - A SQL-Compatible Query Language for Amazon DynamoDB

[6] IDS00-J. Prevent SQL Injection CERT

[7] INJECT-2: Avoid dynamic SQL Oracle

[8] Standards Mapping - Common Weakness Enumeration CWE ID 89

[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089

[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089

[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089

[14] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754

[16] Standards Mapping - FIPS200 SI

[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[23] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[24] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[25] Standards Mapping - OWASP Top 10 2010 A1 Injection

[26] Standards Mapping - OWASP Top 10 2013 A1 Injection

[27] Standards Mapping - OWASP Top 10 2017 A1 Injection

[28] Standards Mapping - OWASP Top 10 2021 A03 Injection

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089

[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089

[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089

[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[66] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)

[67] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection

desc.dataflow.java.sql_injection_partiql