asp.net, c#, User provided Connection string and Query

Question

We're trying to create a asp.net page that gives our users the ability to pull information directly from their own database to our website. The user will have the ability to provide:

• hostname, port, database name, username, password, and query.

I have some serious security concerns regarding this and was wondering how this page could be secured so that we're preventing users from pointing to the localhost database or other type hacks that could enable them to have access to our database. Can anyone please advise?

We're using SqlConnectionStringBuilder to build the connection to the user's database and doing some simple checks to ensure that the host cannot be "localhost" or other addresses that point to our server. I feel like doing this leaves a potential security holes open.

Also, the query that they provide is checked against some keywords that shouldn't be allowed. Again, I think this leaves a lot open if not properly implemented. (We essentially want them to only be able to do a SELECT from their own DB).

Finally, we do an EXEC sp_executesql with the query of the user.

I'd love to hear how others have dealt with this? Klipfolio is an organization that has a similar type functionality so if anyone knows how they've addressed this issue, that would be really awesome!!

Thanks!

Answer 1

Without knowing all the particulars of your situation I don't think your approach is necessarily the best. "Normally" your database server is not exposed to the world, it is behind a firewall and direct connections from the outside world are not allowed. The people that will be using your webpage are likely to also have their database behind a firewall and thus even if were not trying to do anything malicious your webserver will not be able to make a direct connection to their database server because it is likely behind its own firewall. They would have to either expose it to the world or know the IP address of your server to poke a hole in their firewall to allow your server to connect.

Whenever I've allowed clients to upload data to my server it is been via a text or csv file or an Excel file. This allows you to get around any firewall issues on the client side. Now you need to worry about SQL Injection attacks within the data. So there are two things to do: first make sure you use parameters when performing an INSERT or UPDATE, and the second is to make sure the process that is performing the upload has the lowest possible privileges to your database.

Answer 2

If you must make a direct connection to the clients' database then I would do the following things to enhance security.

First is resolve the hostname to ip addresses.

IPAddress[] addresslist = Dns.GetHostAddresses(hostname);

Then check the results in the addresslist that they do not resolve to any private addresses as these would not work to connect to a client in any case.

10.0.0.0 to 10.255.255.255. 172.16.0.0 to 172.31.255.255. 192.168.0.0 to 192.168.255.255.

Also make sure that the address does not resolve to your own public address(es).

The second thing is at least just for this one function do not use a Trusted Connection. Instead use a username/password and assign that user's security rights on the database to be the minimum possible to accomplish the task of uploading data. And still use parameterized calls when importing the data.