myITforum.com Community Forum myITforum.com Community Forum

Home  Forums  Blogs  Live Support chat  Search Articles  Wiki  FAQ  Email Lists  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

All Forums RSS Feed Subscription:


           



Weak SQL coding techniques result in Huge SQL Injection attacks

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
  Printable Version
All Forums >> [Security, AntiVirus, and Patching] >> Breaking Virus & Security News >> Weak SQL coding techniques result in Huge SQL Injection attacks Page: [1]
Login
Message << Older Topic   Newer Topic >>
Weak SQL coding techniques result in Huge SQL Injection... - 4/28/2008 1:35:32 PM   
hwaldron


Posts: 3539
Score: 258
Joined: 9/12/2002
From: Roanoke VA, USA
Status: offline 		A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents.

A major wave of automated SQL Injection attacks are occurring.  These have been designed and coded for the IIS and SQL-Server environments.  There are no new vulnerabilities in these projects, as the attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the website)  
 
Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best developmental practices.  Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.

Huge SQL Injection attacks infect 500,000 pages
http://www.f-secure.com/weblog/archives/00001427.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580
http://hackademix.net/2008/04/26/mass-attack-faq/

QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages.  We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

IIS Blog - SQL Injection Attacks on IIS Web Servers
http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx

QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.

MSRC Blog - Questions about Web Server Attacks
http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx

QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database.  To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.

BEST PRACTICES - How to protect against SQL Injections
http://msdn2.microsoft.com/en-us/library/ms998271.aspx

-- Learn how SQL injection attacks work.
-- Constrain input to prevent SQL injection.
-- Use type safe SQL command parameters to prevent SQL injection.
-- Use a least privileged account to connect to the database.
-- Learn additional countermeasures to further reduce risk.

What are SQL Injection attacks?
http://en.wikipedia.org/wiki/SQL_injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
http://msdn2.microsoft.com/en-us/library/bb671351.aspx

QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

< Message edited by hwaldron -- 4/28/2008 1:38:42 PM >

_____________________________


Harry Waldron - Security News & Best Practices Blog
Post #: 1
RE: Weak SQL coding techniques result in Huge SQL Injec... - 5/4/2008 1:36:04 PM   
hwaldron


Posts: 3539
Score: 258
Joined: 9/12/2002
From: Roanoke VA, USA
Status: offline 		  Stephen Wynkoop, founder of SSWUG (SQL-Server World-wide Users Group) shares an interesting update in today's SSWUG Newsletter, related to the recent SQL Injection attacks. Over 500,000 web pages were infected with malware related scripts.

The attacks were due to web developers taking short-cuts (e.g., not fully editing input sent to the SQL-Server environment). While the website might work with normal input from the user, it's also important to have safeguards in for malicious injection attempts as well.

QUOTE: SQL Injection Hack Attack -- Poor Coding Techniques to Blame

There are SO many people writing about this whole IIS hack attack that I wrote about yesterday. What's odd is the very few of them that get it. I've seen the issues blamed on everything from SQL Server not having granular-enough permissions controls to flaws in the OS. I don't get it. This is just about coding techniques, nothing more. It's not a "feature" or "bug" being exploited.

When you accept input from a user and pass it blindly to the database engine, you are asking for trouble. When you don't control the input, don't control how it's presented to the engine for processing, you're asking for trouble. It really is that simple.

It's too easy for people to build sites with "dynamic SQL" - making changes to the SQL statements on the fly. "Select * from " + user_input is asking for trouble.

It's simple. if your applications accept input from users, you need to make sure you've taken steps to properly pass information from your application to the server and back again as you display it. If you're not doing this now, if you have not built this into your application design, review and development processes, you're asking for people to exploit your system. If you're not sure - find out. Learn what was built into the application. Consider using a tool to stay on top of new techniques and approaches.

Hacker Safe is one such tool - take a look at what they're doing and you'll get a great idea of the types of things to be aware of. (Not affiliated)

McAfee's "Hacker Safe" - Site Verification Tool
http://www.hackersafe.com/site/en/security/intro/

SQL-Server World-wide Users Group (SSWUG) - Home Page
http://www.sswug.org


< Message edited by hwaldron -- 5/4/2008 1:37:00 PM >

_____________________________


Harry Waldron - Security News & Best Practices Blog

(in reply to hwaldron)
Post #: 2
Page:   [1]
All Forums >> [Security, AntiVirus, and Patching] >> Breaking Virus & Security News >> Weak SQL coding techniques result in Huge SQL Injection attacks Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.297