SQL Injection

N

Niraj Ranka

My server was badly infected by SQL Injection. It was almost eating up
my whole database every hour.
I would recommend few of the below options to be done... to make
oneself more safe.

NOTE: First use the kill char functions to validate proper input.

a) change custome erros to off
b) Update microsoft updates automatically
c) Restrict network access of sql server
Use the Local Security Policy tool to remove the right of the
Everyone group to access the computer from the network. This tool is
located in the Administrative Tools group on the computer.
Disable null sessions to prevent anonymous, or unauthenticated,
sessions. To accomplish this, set the RestrictAnonymous key to 1. This
key is in the Windows registry located at HKEY_LOCAL_MACHINE\System
\CurrentControlSet\Control\LSA.

d) <pages validateRequest="true" ... /> in machine.config
e) Using a RegularExpressionValidator
f) Validate all input as per type of input
validate querystring
void Page_Load(object sender, EventArgs e)
{
if (!System.Text.RegularExpressions.Regex.IsMatch(
Request.QueryString["Name"], @"^[a-zA-Z'.\s]{1,40}$"))
Response.Write("Invalid name parameter");
else
Response.Write("Name is " + Request.QueryString["Name"]);
}

f) Validate Cookie Values

i) MapPath to Prevent Cross Application Mapping
try
{
string mappedPath = Request.MapPath( inputPath.Text,
Request.ApplicationPath,
false);
}
catch (HttpException)
{
// Cross-application mapping attempted
}

j) Code Access Security to Restrict File I/O
<trust level="Medium" />
setting the <trust> element in Web.config or Machine.config.


k) HtmlEncode to Encode Unsafe Output
l) Parameters Collection When You Call a Stored Procedure

Parameters Collection When Building Your SQL Statements
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
myConnection);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add(
"@au_id" ,SqlDbType.VarChar, 11);
Parm.Value = Login.Text;


l) Verify that ASP.NET Errors Are Not Returned to the Client
m) <customErrors mode="remoteOnly" />

Also refer few of below links for more help.

http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
http://msdn.microsoft.com/en-us/library/ms998271.aspx
http://blogs.technet.com/neilcar/ar...-of-a-sql-injection-incident-part-2-meat.aspx
http://blogs.technet.com/neilcar/ar...-of-a-sql-injection-incident-part-2-meat.aspx
http://isc.sans.org/diary.html?storyid=4294
http://www.secureworks.com/research/threats/danmecasprox/
http://blogs.zdnet.com/security/?p=1336
http://channel9.msdn.com/wiki/securitywiki/sqlinjectionlab/
http://www.rotteneggsx.com//r3/show/se/161571.html
 
N

Niraj Ranka

How this may help to avoid SQL injection?

Microsoft has recently released SQL injection defense and detection
tools. The tools include URLScan 3.0, and Microsoft Source Code
Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
a SQL injection detection tool which you may find interesting too.

http://www.microsoft.com/technet/security/advisory/954462.mspx

This will definitely fix up if any security loopholes by microsoft as
we receive various patches.
 
G

Guest

This will definitely fix up if any security loopholes by microsoft as
we receive various patches.

I think it's a mistake to tell people that application error will be
fixed by the platform patch. SQL injection is an issue that occurs
because of poorly written code and not because of loopholes in .NET.
Programmers should understand the underlying problem of this issue.
 
N

Niraj Ranka

Application error cannot be fixed by program patch is correct. But
here i wrote to have custom error as readonly this will help in
getting adhoc error message screen to the end sql injector. If you
have error = on it will give exact error message exposing your field
names.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top