Tim

Footprints in the snow of a warped mind

A seriously elegant SQL Injection -how it was sorted

Blog Home About Me Photo Album The Site Doctor Blog Feed by Email Portfolio

Where to find me

Flickr Icon  Twitter Icon  Linked In Icon  FaceBook Icon  Windows Live Alerts Butterfly  RSS 2.0 

FreeAgent Small Business Online Accounting
Business Protection by Crisis Cover

Tag Cloud

AJAX (4) Analysis (3) ASP (6) ASP.Net (59) Error Reporting (4) Web Service (2) WSDL (1) Atlas (2) Azure (1) Born In The Barn (1) Business (89) Business Start-up Advice (32) Client (17) Expanding Your Business (23) Recruitment (1) C# (22) Canoeing (4) Canoe Racing (5) Cheshire Ring Race (5) Racing (2) Training (4) CIMA (1) Cisco (1) 7970G (1) CMS (1) Code Management (1) Cohorts (4) Commerce4Umbraco (1) Content (1) Content Management (1) Content Management System (1) CSS (4) dasBlog (5) DDD (2) DDDSW (1) Design (11) Icons (1) Development (26) Domain Names (1) eCommerce (12) Employment (2) General (39) Christmas (6) Fun and Games (11) Internet (22) Random (46) RX-8 (8) Git (1) Google (1) Google AdWords (1) Google Analytics (1) Hacking (1) Helpful Script (3) Home Cinema (2) Hosting (2) HTML (3) IIS (11) iPhone (1) JavaScript (5) jQuery (2) Marketing (6) Email (1) Multipack (1) MVC (1) Networking (3) Nintendo (1) Nuget (1) OS Commerce (1) Payment (1) Photography (1) PHP (1) Plugin (1) PowerShell (3) Presentation (1) Press Release (1) Productivity (3) Random Thought (1) Script (2) Security (2) SEO (6) Server Maintenance (7) Server Management (12) Social Media (2) Social Networking (3) Experiment (1) Software (11) Office (5) Visual Studio (14) Windows (5) Vista (1) Source Control (1) SQL (9) SQL Server (19) Statistics (2) Stored Procedure (1) Sublime Text 2 (1) SVN (1) TeaCommerce (1) Testing (2) The Cloud (1) The Site Doctor (136) Turnover Challenge (1) Twitter (3) uCommerce (13) Umbraco (31) 2009 (1) 2011 (1) Useful Script (2) Virtual Machine (1) Web Development (71) WebDD (33) Wii (1) Windows Azure (1) XSLT (1)

Blog Archive

Search

<May 2013>
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678

Recent Comments

Total Comments: 20
View all 20 comments

Blog Archive

Various Links

Google+

Blogs I Read

[Feed] Google Blog
Official Google Webmaster Central Blog
[Feed] Matt Cutts
Gadgets, Google, and SEO
[Feed] Ol' Deano's Blog
My mate Dean's blog on my space, equally as random as mine but not off on as much of a tangent!
[Feed] Sam's Blog
Sam is one of my younger brothers studying Product Design and Manufacture at Loughborough, this is his blog :) Enjoy!

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

newtelligence dasBlog 2.2.8279.16125

Send mail to the author(s) Email Me (Tim Gaunt)

© 2013 Tim Gaunt.

Sign In

# Thursday, May 29, 2008

A seriously elegant SQL Injection -how it was sorted

Thursday, May 29, 2008 3:32:33 PM (GMT Daylight Time, UTC+01:00)

Doug Setzer posted this comment in response to my recent "A seriously elegant SQL Injection" post and I thought it may be of interest to others so have promoted it to a post...

Well, I'll step up and say that I am the "mate" who had this done.  Tim's right - *always* sanitize your inputs.  In my defence, this was a site that I inherited from a previous contractor.  I'm not entirely absent of blame, I still should have done a security sweep through the code.

I'd like to document the steps that I went through once this was identified to try and avoid this kind of thing in the future.

  1. Edit every web page that executes a query to sanitize any parameters that are passed in.  Since the site was classic ASP, I used my "SQLStringFieldValue" function:
    www.27seconds.com/kb/article_view.aspx?id=50
  2. Modify the DB user account that is used to have *read only* access to the database
  3. Modify the pages that DO write to the database to have *read/write* access to the specific tables that are being changed.  This limits the number of places that SQL Injection can occur to a smaller set than was previously possible.  I still sanitize all of my input, but I'm extra spastic in these database calls.
  4. Add database auditing (triggers writing to mirror tables with audit event indicator & date/time) to see when data changes occur.  This is still problematic with the pages that have "write" permissions to the tables, but again- that footprint is much smaller.
    My future plans are to move to a view/stored procedure based architecture.  I can then limit write permissions to just the stored procedures and read permissions to just the views.  My grand gusto plans are to move to using command objects & parameters, but I'd sooner re-write the entire site.

Although Doug's attack wasn't the same nihaorr1.com attack that's going around atm it was similar so I would imagine other's will find this useful.

It still amazes me how many developers still fail to sanitise strings, only last week I came across another site (in PHP) that was allowing simple SQL injections to be used to log into their administration system. It was down to a problem with the sanitization string, but why not at least check your site before it goes live? It takes 2 minutes and even less to fix...

For those of you who need a few pointers, there's a good discussion or two about sanitising strings on the 4 Guys From Rolla site.

 

Don't forget to follow me on Twitter.

A seriously elegant SQL Injection -how it was sorted
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [2]  Trackback LinkTrackback
CategoriesTags: ASP | ASP.Net | C# | Development | IIS | Security | SQL Server | Web Development
Wednesday, June 04, 2008 3:27:25 PM (GMT Daylight Time, UTC+01:00)
Another prologue to this... I've checked my IIS logs for "EXEC(@" and found that the same supceptible site was attacked a day later and didn't sustain any damage. As well, 5 other sites of mine were attacked, none of which sustained any damage from it.

Seriously, sanitize your strings. It makes a difference!
Doug S
Thursday, June 05, 2008 7:11:07 PM (GMT Daylight Time, UTC+01:00)
I've just run a check with Text Workbench across around 12k recent log files and found 111 attempts at inserting the code across all the logs.

Interesting stuff. Nothing luckily has done anything...
Tim
Name
E-mail
(will show your gravatar icon)
Home page

Comment (HTML not allowed)  

Live Comment Preview
Template based on a design by Arcsin. Valid CSS & XHTML. Crisis Cover - Business continuity support.