Weak SQL coding techniques result in Huge SQL Injection attacks

Weak SQL coding techniques result in Huge SQL Injection attacks (Full Version)

All Forums >> [Security, AntiVirus, and Patching] >> Breaking Virus & Security News

Message

hwaldron -> Weak SQL coding techniques result in Huge SQL Injection attacks (4/28/2008 1:35:32 PM)
A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents. [:o][:o][:o] A major wave of automated SQL Injection attacks are occurring. These have been designed and coded for the IIS and SQL-Server environments. There are no new vulnerabilities in these projects, as the attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the website) Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best developmental practices. Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection. Huge SQL Injection attacks infect 500,000 pages http://www.f-secure.com/weblog/archives/00001427.html http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580 http://hackademix.net/2008/04/26/mass-attack-faq/ QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages. We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code. IIS Blog - SQL Injection Attacks on IIS Web Servers http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. MSRC Blog - Questions about Web Server Attacks http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. BEST PRACTICES - How to protect against SQL Injections http://msdn2.microsoft.com/en-us/library/ms998271.aspx -- Learn how SQL injection attacks work. -- Constrain input to prevent SQL injection. -- Use type safe SQL command parameters to prevent SQL injection. -- Use a least privileged account to connect to the database. -- Learn additional countermeasures to further reduce risk. What are SQL Injection attacks? http://en.wikipedia.org/wiki/SQL_injection http://msdn2.microsoft.com/en-us/library/ms161953.aspx http://msdn2.microsoft.com/en-us/library/bb671351.aspx QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

hwaldron -> RE: Weak SQL coding techniques result in Huge SQL Injection attacks (5/4/2008 1:36:04 PM)
[image]http://myitforum.com/cs2/emoticons/emotion-55.gif[/image] Stephen Wynkoop, founder of SSWUG (SQL-Server World-wide Users Group) shares an interesting update in today's SSWUG Newsletter, related to the recent SQL Injection attacks. Over 500,000 web pages were infected with malware related scripts. The attacks were due to web developers taking short-cuts (e.g., not fully editing input sent to the SQL-Server environment). While the website might work with normal input from the user, it's also important to have safeguards in for malicious injection attempts as well. QUOTE: SQL Injection Hack Attack -- Poor Coding Techniques to Blame There are SO many people writing about this whole IIS hack attack that I wrote about yesterday. What's odd is the very few of them that get it. I've seen the issues blamed on everything from SQL Server not having granular-enough permissions controls to flaws in the OS. I don't get it. This is just about coding techniques, nothing more. It's not a "feature" or "bug" being exploited. When you accept input from a user and pass it blindly to the database engine, you are asking for trouble. When you don't control the input, don't control how it's presented to the engine for processing, you're asking for trouble. It really is that simple. *It's too easy for people to build sites with "dynamic SQL" - making changes to the SQL statements on the fly. "Select from " + user_input is asking for trouble. It's simple. if your applications accept input from users, you need to make sure you've taken steps to properly pass information from your application to the server and back again as you display it. If you're not doing this now, if you have not built this into your application design, review and development processes, you're asking for people to exploit your system. If you're not sure - find out. Learn what was built into the application. Consider using a tool to stay on top of new techniques and approaches. Hacker Safe is one such tool - take a look at what they're doing and you'll get a great idea of the types of things to be aware of. (Not affiliated) McAfee's "Hacker Safe" - Site Verification Tool http://www.hackersafe.com/site/en/security/intro/ SQL-Server World-wide Users Group (SSWUG) - Home Page** http://www.sswug.org

Page: [1]

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.171875