DevSkim icon indicating copy to clipboard operation
DevSkim copied to clipboard
verified publisher icon microsoft

T-SQL rules

Open joshbw opened this issue 8 years ago • 1 comments

There aren't a lot of T-SQL security checkers out there, so lets add some rules for T-SQL scripts. Suggestions from Raul:

  • Executing any of the dangerous XPs, such as xp_cmdshell
  • Changing the configuration to enable dangerous features (i.e. EXEC[UTE] sp_configure ‘xp_cmdshell’, 1)
  • Using dynamic SQL (i.e. EXECUTE).
    • The difficult part of this one would be to know if the dynamic SQL is properly escaped to prevent SQLi, so we could simply warn the user
  • Enabling some features on DBs such as setting the trustworthy = ON on a DB
  • Granting elevated permissions (i.e. GRANT UNSAFE ASSEMBLY … )
  • Create a new login (with password) without CHECK_POLICY = ON

joshbw avatar Mar 15 '17 04:03 joshbw

A few public resources on dangerous T-SQL:

  • https://technet.microsoft.com/en-us/library/aa175398(v=sql.80).aspx
  • https://www.owasp.org/index.php/Testing_for_SQL_Server
  • https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/#3
  • https://www.exploit-db.com/papers/12975/

scovetta avatar Mar 15 '17 07:03 scovetta