Can this security loophole bring down an entire database server?

Goalie35 · March 9, 2016, 8:32pm

This is more of a curiosity. I'll explain the reason for it in a minute, but my question is...
If a hacker began sending commands to insert, lets say, 20 million records into a sql server (2008 R2) database table, every second. What would happen? How does SQL Server handle that? Would it bring down just that particular database, or would it choke off the entire server, potentially bringing down all databases on that sql server? I'm guessing sql server has security in place to prevent such a disaster, but just curious how serious it would be

The reason for my question, is we have a programmer at our company who wrote a website with one absolutely terrible security loophole. It's an ordering website, where one feature is the user can go into their order & add additional quantities of an item they've already ordered. These items being ordered are very specific to the industry we're in, so it's not as simple as updating an ordered item "Quantity" field in the database. Instead, for each new quantity added to an order, a new record for that item needs to be inserted into a table.

So, the other day, I was reviewing his website code for another issue, when I realized this quantity insert he's doing, originates from a url that looks like the following, which has a "Quantity" parameter within it:
http://www.OurSite.com/OrderDetails?orderid=55555&itemid=18&quantity=2

I realized if I copy that url and change the quantity to 10 or 1000 or even 10000000, it still inserts that number of new records into the database table. Even worse, I don't have to be logged into the website to do so. Any random user can copy & paste this & hit enter as often as they want. And the absolute WORSE PART...the url is from a jQuery postback, meaning that url can be seen by anyone who views the page's html source code or has an html proxy server, such as Fiddler open!

Sorry for the long rant, but anyway, to my original question....how would sql server handle an attack like this? How serious would it be?

Thanks

TaraKizer · March 9, 2016, 8:42pm

SQL Server would just perform the inserts. How would it know that these are bad inserts?

Goalie35 · March 9, 2016, 8:59pm

Correct, but if someone set the number of those inserts into the tens of millions, or even billions of records every second, wouldn't that basically choke off sql?

gbritton · March 9, 2016, 9:11pm

It could eventually fill up the available disk space.

This is one reason why folks often encapsulate CRUD operations in stored procedures, so things can be checked before they make it into the database.

TaraKizer · March 9, 2016, 9:27pm

If it were inserting a huge amount of rows per second and that's different than the regular load, you'd probably notice it due to user complaints, monitoring software, etc.

Agreed about the stored procedures. Don't give the user insert access to the tables, instead just exec access to the stored procedures.

Kristen · March 9, 2016, 11:31pm

My bandaid would be to put a trigger on the table which detected that some Max Items had been reached, on a given order, and ROLLBACK at that point.

If some users need to be able to order "more" than that limit then I would add a flag, or similar, to their account - then only someone logged in, and using an account with the flag set, could order "large quantities"

Seems to me to be good news that you've detected this possible trapdoor - before someone has thought to use it