SQL Injection

Discussion in 'ASP .Net Security' started by Niraj Ranka, Aug 28, 2008.

  1. Niraj Ranka

    Niraj Ranka Guest

    My server was badly infected by SQL Injection. It was almost eating up
    my whole database every hour.
    I would recommend few of the below options to be done... to make
    oneself more safe.

    NOTE: First use the kill char functions to validate proper input.

    a) change custome erros to off
    b) Update microsoft updates automatically
    c) Restrict network access of sql server
    Use the Local Security Policy tool to remove the right of the
    Everyone group to access the computer from the network. This tool is
    located in the Administrative Tools group on the computer.
    Disable null sessions to prevent anonymous, or unauthenticated,
    sessions. To accomplish this, set the RestrictAnonymous key to 1. This
    key is in the Windows registry located at HKEY_LOCAL_MACHINE\System
    \CurrentControlSet\Control\LSA.

    d) <pages validateRequest="true" ... /> in machine.config
    e) Using a RegularExpressionValidator
    f) Validate all input as per type of input
    validate querystring
    void Page_Load(object sender, EventArgs e)
    {
    if (!System.Text.RegularExpressions.Regex.IsMatch(
    Request.QueryString["Name"], @"^[a-zA-Z'.\s]{1,40}$"))
    Response.Write("Invalid name parameter");
    else
    Response.Write("Name is " + Request.QueryString["Name"]);
    }

    f) Validate Cookie Values

    i) MapPath to Prevent Cross Application Mapping
    try
    {
    string mappedPath = Request.MapPath( inputPath.Text,
    Request.ApplicationPath,
    false);
    }
    catch (HttpException)
    {
    // Cross-application mapping attempted
    }

    j) Code Access Security to Restrict File I/O
    <trust level="Medium" />
    setting the <trust> element in Web.config or Machine.config.


    k) HtmlEncode to Encode Unsafe Output
    l) Parameters Collection When You Call a Stored Procedure

    Parameters Collection When Building Your SQL Statements
    SqlDataAdapter myCommand = new SqlDataAdapter(
    "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
    myConnection);
    SQLParameter parm = myCommand.SelectCommand.Parameters.Add(
    "@au_id" ,SqlDbType.VarChar, 11);
    Parm.Value = Login.Text;


    l) Verify that ASP.NET Errors Are Not Returned to the Client
    m) <customErrors mode="remoteOnly" />

    Also refer few of below links for more help.

    http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
    http://msdn.microsoft.com/en-us/library/ms998271.aspx
    http://blogs.technet.com/neilcar/ar...-of-a-sql-injection-incident-part-2-meat.aspx
    http://blogs.technet.com/neilcar/ar...-of-a-sql-injection-incident-part-2-meat.aspx
    http://isc.sans.org/diary.html?storyid=4294
    http://www.secureworks.com/research/threats/danmecasprox/
    http://blogs.zdnet.com/security/?p=1336
    http://channel9.msdn.com/wiki/securitywiki/sqlinjectionlab/
    http://www.rotteneggsx.com//r3/show/se/161571.html
     
    Niraj Ranka, Aug 28, 2008
    #1
    1. Advertising

  2. On Aug 28, 11:50 am, Niraj Ranka <> wrote:

    > b) Update microsoft updates automatically


    How this may help to avoid SQL injection?

    Microsoft has recently released SQL injection defense and detection
    tools. The tools include URLScan 3.0, and Microsoft Source Code
    Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
    a SQL injection detection tool which you may find interesting too.

    http://www.microsoft.com/technet/security/advisory/954462.mspx
     
    Alexey Smirnov, Aug 31, 2008
    #2
    1. Advertising

  3. Niraj Ranka

    Niraj Ranka Guest

    On Aug 31, 3:30 pm, Alexey Smirnov <> wrote:
    > On Aug 28, 11:50 am, Niraj Ranka <> wrote:
    >
    > > b) Update microsoft updates automatically

    >
    > How this may help to avoid SQL injection?
    >
    > Microsoft has recently released SQL injection defense and detection
    > tools. The tools include URLScan 3.0, and Microsoft Source Code
    > Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
    > a SQL injection detection tool which you may find interesting too.
    >
    > http://www.microsoft.com/technet/security/advisory/954462.mspx


    This will definitely fix up if any security loopholes by microsoft as
    we receive various patches.
     
    Niraj Ranka, Sep 1, 2008
    #3
  4. On Sep 1, 12:48 pm, Niraj Ranka <> wrote:
    > On Aug 31, 3:30 pm, Alexey Smirnov <> wrote:
    >
    > > On Aug 28, 11:50 am, Niraj Ranka <> wrote:

    >
    > > > b) Update microsoft updates automatically

    >
    > > How this may help to avoid SQL injection?

    >
    > > Microsoft has recently released SQL injection defense and detection
    > > tools. The tools include URLScan 3.0, and Microsoft Source Code
    > > Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
    > > a SQL injection detection tool which you may find interesting too.

    >
    > >http://www.microsoft.com/technet/security/advisory/954462.mspx

    >
    > This will definitely fix up if any security loopholes by microsoft as
    > we receive various patches.


    I think it's a mistake to tell people that application error will be
    fixed by the platform patch. SQL injection is an issue that occurs
    because of poorly written code and not because of loopholes in .NET.
    Programmers should understand the underlying problem of this issue.
     
    Alexey Smirnov, Sep 1, 2008
    #4
  5. Niraj Ranka

    Niraj Ranka Guest

    Application error cannot be fixed by program patch is correct. But
    here i wrote to have custom error as readonly this will help in
    getting adhoc error message screen to the end sql injector. If you
    have error = on it will give exact error message exposing your field
    names.

    On Sep 1, 4:43 pm, Alexey Smirnov <> wrote:
    > On Sep 1, 12:48 pm, Niraj Ranka <> wrote:
    >
    >
    >
    > > On Aug 31, 3:30 pm, Alexey Smirnov <> wrote:

    >
    > > > On Aug 28, 11:50 am, Niraj Ranka <> wrote:

    >
    > > > > b) Update microsoft updates automatically

    >
    > > > How this may help to avoid SQL injection?

    >
    > > > Microsoft has recently released SQL injection defense and detection
    > > > tools. The tools include URLScan 3.0, and Microsoft Source Code
    > > > Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
    > > > a SQL injection detection tool which you may find interesting too.

    >
    > > >http://www.microsoft.com/technet/security/advisory/954462.mspx

    >
    > > This will definitely fix up if any security loopholes by microsoft as
    > > we receive various patches.

    >
    > I think it's a mistake to tell people that application error will be
    > fixed by the platform patch. SQL injection is an issue that occurs
    > because of poorly written code and not because of loopholes in .NET.
    > Programmers should understand the underlying problem of this issue.
     
    Niraj Ranka, Sep 12, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    409
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,629
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. MattB

    SQL injection

    MattB, Mar 30, 2005, in forum: ASP .Net
    Replies:
    10
    Views:
    703
    Peter Blum
    Mar 31, 2005
  4. Ranginald
    Replies:
    10
    Views:
    874
    Ranginald
    Apr 27, 2006
  5. =?Utf-8?B?c3M=?=

    sample validation code for sql injection attact

    =?Utf-8?B?c3M=?=, May 5, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    636
    =?UTF-8?B?R8O2cmFuIEFuZGVyc3Nvbg==?=
    May 9, 2006
Loading...

Share This Page