When discussing web development, the subject of security inevitably comes up. Last week while I was teaching a class in ASP.NET, we had a sample login page that,   although being quite trivial in nature, was exposing a serious vulnerability to SQL injections attacks.

Does it hurt?

Well, it might. But let’s first start off by defining the concepts. An SQL Injection is a term used to define a type of attack that exploits a vulnerability in the data access layer (DAL) of an application to embed arbitrary SQL statements in properly crafted user input, that will get executed at runtime. Let me show you how this works with an example.

Vulnerability and exploit

Suppose we have a web site that prompts users to enter their username and password credentials in order to authenticate their identity. Typically, somewhere in the DAL of the application, there will be a chunk of code looking not to different than this:

using (SqlConnection connection = new SqlConnection("ConnectionString"))
{
    string query = "SELECT EXISTS FROM Users WHERE Username='"
        + username + "' AND Password='" + password + "'";
    SqlCommand command = new SqlCommand(connection, query);
    bool isAuthenticated = (bool)command.ExecuteScalar();
}

This code exposes a serious vulnerability whenever the content of the ‘username’ and ‘password’ strings coming from the UI are not properly validated. Now, a malicious user could exploit this vulnerability by entering the following value in the username input field:

SomeUser' OR 1=1 -- 

What we have done is effectively extended the SQL query that will be run against the database by appending an additional condition to it that will cause it to always evaluate to ‘true’ and commented out the rest of the original query. Here is how the ‘query’ variable will look like when executed at runtime:

SELECT EXISTS FROM Users WHERE username='SomeUser' OR 1=1 --'AND Password=''

Yes folks, this will let us login to the web site without actually possessing a valid user account.

In other scenarios SQL Injections can be used to steal information. Suppose our web site has a page displaying a list of products. The URL then could more then likely look like this:

http://unsafewebsite.com/products.aspx?category=books

Then the page would run the following piece of code to retrieve and return the appropriate rows from the database table:

using (SqlConnection connection = new SqlConnection("ConnectionString"))
{
    string query = "SELECT * FROM Products WHERE Category='"
        + category + "'";
    SqlCommand command = new SqlCommand(connection, query);
    return command.ExecuteReader();
}

An attacker could exploit the fact that the URL parameter is not properly validated and enter the following value in the browser’s address bar:

http://unsafewebsite.com/products.aspx?category=Something';SELECT * FROM Users --

Here we embedded a new SQL statement that will run after the first one during the same database connection. Again, without proper validation of the user input, the final command that will get executed at runtime will look like this:

SELECT * FROM Products WHERE Category='Something';SELECT * FROM Users --'

Which will display all information about the users of the web site on the products page. Ouch!

The solution

So, how can we prevent this from happening? Well, there are a couple of security golden rules you should keep in mind:

1. Never trust user input: this means you should always assert that every single piece of data coming from the user interface is what you expect it to be, and nothing else. In some places like for example web site URLs it is a good idea to sanitize all strings by encoding them, which will replace all special characters with HTML or ASCII values. This will prevent maliciously crafted strings from being evaluated at runtime and executed as code.
2. Always use parameters in SQL statements: avoid dynamically generating SQL statements in code by concatenating hard-coded strings and variables, like I showed you in the examples above. Instead you should use strongly-typed parameters that will be assigned a value at runtime. For example the following code will prevent SQL injections by only accepting numeric values for the parameter:

using (SqlConnection connection = new SqlConnection("ConnectionString"))
{
    string query = "SELECT * FROM Products WHERE ProductId=@id";
    SqlCommand command = new SqlCommand(connection, query);
    // Valid parameter values are only integers
    command.Parameters.Add("id", SqlDbType.Int, productId);
    return command.ExecuteReader();
}

Bringing it all together

SQL injections are a relatively simple way of attacking an application by embedding SQL statements in the user input and having them execute unexpectedly. When in the wrong hands they can indeed be used for great evil. Fortunately it’s not too hard to guard ourselves from this kind of vulnerability by always validating incoming data and  using parameters in all our SQL commands.

/Enrico

On the second day of PDC 2008 in Los Angeles Microsoft gave the first public preview of the next version of their client operating system code-named Windows 7.

The demo was held in the conference’s “Big Room” and the hype was high. As I was waiting for the very first Windows 7 desktop to show up on the giant screen, I was feeling a mixture of excitement and skepticism.

Well, I didn’t have to wait long to get a grasp on Microsoft’s next client operating system. The essential nature of Windows 7, in fact, revealed itself already within the first ten minutes of the demo. Let me synthesize it for you with a simple equation:

Windows 7 = Windows Vista SP2 + Multi-touch

In my opinion Windows 7 is really what Vista should have been in its first release back in November 2006. Microsoft used this release to polish the rough edges in the operating system like resource usage, responsiveness and user access control (UAC), amongst others. I really don’t blame them for that. They applied the hard lessons learned with Vista and used this second release to stabilize and strengthen the OS without introducing too much change. This way they hope to re-gain the users’ confidence in Windows. Here is a brief overview of some of the key improvements made in Windows 7:

• Usability
  • Improved thumbnail previews in the task bar
  • Possibility to collect and hide system messages in the tray bar
  • Gadgets can now be placed anywhere on the desktop
  • Improved dialog to customize the desktop theme
  • Possibility to control how often UAC will ask you to confirm your actions
• Architecture
  • Reduced memory footprint
  • Reduced amount of IO operations and registry access
  • Increased UI responsiveness
  • Possibility to mount virtual hard-disk images (VHD) as bootable drives

But the biggest new feature Windows 7 offers customers is really native support for multi-touch computing. This means that with 7 you will be able to interact with your desktop and applications exclusively through a touch-screen. Microsoft even made available an on-screen virtual keyboard, which effectively makes the monitor the only interface needed to interact with the computer.

In my opinion this is a step in the right direction. It is evident by looking at how mobile devices have evolved in the latest years starting with Apple’s iPhone, how natural human interfaces like touch, gestures and voice is the way we will prefer to interact with computers in the future. It really feels natural to click buttons, move items and zoom documents or pictures in and out using your fingers.

All of the attendees here at PDC 2008 got a copy of the pre-beta release of Windows 7, so I will be posting a little more detailed tour of what’s in there soon.

In conclusion let me finish off this brief overview by quoting Steven Sinosfky when talking about the Windows 7 roadmap. According to him Windows 7′s development lifecycle will be divided into four main phases: pre-beta, beta, release candidate and RTM. The release dates coming out of each phase will be decided dynamically based on when the previous phase completed. Hence the final release date cannot be determined at this point in time. However he concluded saying:

“[…] we believe in shipping a new version of Windows every three years.”

And with Vista gone RTM in the fall of 2006, I’ll let you do the math.

/Enrico

Yesterday at 9:00 AM (Pacific Time) at the Microsoft PDC 2008‘s keynote, Microsoft Chief Software Architect Ray Ozzie reveled the company’s platform for cloud computing named Windows Azure.

Windows Azure is an application hosting infrastructure service where customers can have their software running without having to worry about the costs of deploying   as well as maintaining server and network hardware. Microsoft offers 24/7 hosting based on virtual servers in a configuration that can easily be adapted to scale up depending on the customer’s needs.

This is cloud computing in a nutshell. Software will no longer run exclusively on a client machine or inside the fences of a corporate intranet, but will be able to take advantage of the functionality offered by ubiquitous services that live on the Internet, a.k.a. “the cloud”

Windows Azure is the software and hardware platform provided by Microsoft to create a cloud where customers can deploy applications that will available through the Internet. Right now Windows Azure supports applications built on top of the .NET Framework,  SharePoint, or Dynamics CMS. Moreover the platform offers permanent storage with SQL Server and a series of centralized information sharing and synchronization services that go under the name Live Services.

Microsoft is proving the value of Windows Azure by betting on its own platform, and will soon start to give customers the option to buy server installations of their products on the cloud. This means that customers will be able to have a Microsoft server product up and running really quickly by delegating configuration and maintenance to Microsoft, all of this for the price of a subscription. This concept is called Microsoft Online Services, and it the current offering are included Exchange, Office Live, SharePoint, and Microsoft Dynamics CMS.

This is the first of the big announcements made here at PDC 2008 in Los Angeles, USA. Today they will give the first public preview of the next version of Windows, code-named Windows 7. Stay tuned!

/Enrico