You are here: Resources > IT Security Technical Resources Part3 > SQL Server - Stored Procedure Attacks
SQL Server - Stored Procedure Attacks
Microsoft Corporation is the one responsible for the distribution of SQL Server application and this product has been available in the market for quite some time already. And, as the years go by, the level of security of this computer-related merchandise continues to advance.
However, all products have their own weaknesses and Microsoft’s SQL Server application is not an exemption in any way. Each of the editions of Microsoft’s product also has its own peculiarity in both the features as well as in the security holes, which may be abused by the vicious criminals.
In order to protect this product, the creators of this Microsoft application added a certain feature which gives it the capability to control the codes that may be used again into doing other functions while utilizing the procedures that are well kept inside the database application. And, when referring to the SQL Server world, the reusable codes are termed by the developers as the stored procedures.
A subroutine is accessible to various applications that are attempting an access into a relational database system and this is known to be as the stored procedure. Other short words are also used in order to refer to stored procedure and these are: sproc, StoPro, StoredProc, proc, and SP. In addition, this subroutine is kept within the database data dictionary.
The stored procedure assault on the SQL server is, according to security experts, one of the seven most dangerous attacks Microsoft Corporation has ever encountered. Based on the reports made by these specialists, there are specific conditions that are needed to be satisfied before the assault with the use of the stored procedures may be launched.
The first step in this kind of attack is the attempt of gaining entry into the applications without obtaining consent. This process is done in order to have direct control over the stored procedures of the SQL server. There are many different schemes as to how the access will be done and these all lean toward the level of access that the criminal already has into the database. Among the many procedures being utilized by attackers, password guessing or dictionary attacks appear to be mostly used.
Gaining access into the stored procedures is the next and major step of this attack. Attacks may already be prompted once the criminal has the administrative control over the SQL Server. However, the accessibility of the stored procedure is still dependent on the version of the SQL server as well as how it has been previously set up by the administrators.