Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > SQL Injection

Reply
Thread Tools

SQL Injection

 
 
Niraj Ranka
Guest
Posts: n/a
 
      08-28-2008
My server was badly infected by SQL Injection. It was almost eating up
my whole database every hour.
I would recommend few of the below options to be done... to make
oneself more safe.

NOTE: First use the kill char functions to validate proper input.

a) change custome erros to off
b) Update microsoft updates automatically
c) Restrict network access of sql server
Use the Local Security Policy tool to remove the right of the
Everyone group to access the computer from the network. This tool is
located in the Administrative Tools group on the computer.
Disable null sessions to prevent anonymous, or unauthenticated,
sessions. To accomplish this, set the RestrictAnonymous key to 1. This
key is in the Windows registry located at HKEY_LOCAL_MACHINE\System
\CurrentControlSet\Control\LSA.

d) <pages validateRequest="true" ... /> in machine.config
e) Using a RegularExpressionValidator
f) Validate all input as per type of input
validate querystring
void Page_Load(object sender, EventArgs e)
{
if (!System.Text.RegularExpressions.Regex.IsMatch(
Request.QueryString["Name"], @"^[a-zA-Z'.\s]{1,40}$"))
Response.Write("Invalid name parameter");
else
Response.Write("Name is " + Request.QueryString["Name"]);
}

f) Validate Cookie Values

i) MapPath to Prevent Cross Application Mapping
try
{
string mappedPath = Request.MapPath( inputPath.Text,
Request.ApplicationPath,
false);
}
catch (HttpException)
{
// Cross-application mapping attempted
}

j) Code Access Security to Restrict File I/O
<trust level="Medium" />
setting the <trust> element in Web.config or Machine.config.


k) HtmlEncode to Encode Unsafe Output
l) Parameters Collection When You Call a Stored Procedure

Parameters Collection When Building Your SQL Statements
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
myConnection);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add(
"@au_id" ,SqlDbType.VarChar, 11);
Parm.Value = Login.Text;


l) Verify that ASP.NET Errors Are Not Returned to the Client
m) <customErrors mode="remoteOnly" />

Also refer few of below links for more help.

http://blogs.technet.com/swi/archive...on-attack.aspx
http://msdn.microsoft.com/en-us/library/ms998271.aspx
http://blogs.technet.com/neilcar/arc...rt-2-meat.aspx
http://blogs.technet.com/neilcar/arc...rt-2-meat.aspx
http://isc.sans.org/diary.html?storyid=4294
http://www.secureworks.com/research/.../danmecasprox/
http://blogs.zdnet.com/security/?p=1336
http://channel9.msdn.com/wiki/securi...linjectionlab/
http://www.rotteneggsx.com//r3/show/se/161571.html

 
Reply With Quote
 
 
 
 
Alexey Smirnov
Guest
Posts: n/a
 
      08-31-2008
On Aug 28, 11:50*am, Niraj Ranka <(E-Mail Removed)> wrote:

> b) Update microsoft updates automatically


How this may help to avoid SQL injection?

Microsoft has recently released SQL injection defense and detection
tools. The tools include URLScan 3.0, and Microsoft Source Code
Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
a SQL injection detection tool which you may find interesting too.

http://www.microsoft.com/technet/sec...ry/954462.mspx
 
Reply With Quote
 
 
 
 
Niraj Ranka
Guest
Posts: n/a
 
      09-01-2008
On Aug 31, 3:30*pm, Alexey Smirnov <(E-Mail Removed)> wrote:
> On Aug 28, 11:50*am, Niraj Ranka <(E-Mail Removed)> wrote:
>
> > b) Update microsoft updates automatically

>
> How this may help to avoid SQL injection?
>
> Microsoft has recently released SQL injection defense and detection
> tools. The tools include URLScan 3.0, and Microsoft Source Code
> Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
> a SQL injection detection tool which you may find interesting too.
>
> http://www.microsoft.com/technet/sec...ry/954462.mspx


This will definitely fix up if any security loopholes by microsoft as
we receive various patches.
 
Reply With Quote
 
Alexey Smirnov
Guest
Posts: n/a
 
      09-01-2008
On Sep 1, 12:48*pm, Niraj Ranka <(E-Mail Removed)> wrote:
> On Aug 31, 3:30*pm, Alexey Smirnov <(E-Mail Removed)> wrote:
>
> > On Aug 28, 11:50*am, Niraj Ranka <(E-Mail Removed)> wrote:

>
> > > b) Update microsoft updates automatically

>
> > How this may help to avoid SQL injection?

>
> > Microsoft has recently released SQL injection defense and detection
> > tools. The tools include URLScan 3.0, and Microsoft Source Code
> > Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
> > a SQL injection detection tool which you may find interesting too.

>
> >http://www.microsoft.com/technet/sec...ry/954462.mspx

>
> This will definitely fix up if any security loopholes by microsoft as
> we receive various patches.


I think it's a mistake to tell people that application error will be
fixed by the platform patch. SQL injection is an issue that occurs
because of poorly written code and not because of loopholes in .NET.
Programmers should understand the underlying problem of this issue.
 
Reply With Quote
 
Niraj Ranka
Guest
Posts: n/a
 
      09-12-2008
Application error cannot be fixed by program patch is correct. But
here i wrote to have custom error as readonly this will help in
getting adhoc error message screen to the end sql injector. If you
have error = on it will give exact error message exposing your field
names.

On Sep 1, 4:43*pm, Alexey Smirnov <(E-Mail Removed)> wrote:
> On Sep 1, 12:48*pm, Niraj Ranka <(E-Mail Removed)> wrote:
>
>
>
> > On Aug 31, 3:30*pm, Alexey Smirnov <(E-Mail Removed)> wrote:

>
> > > On Aug 28, 11:50*am, Niraj Ranka <(E-Mail Removed)> wrote:

>
> > > > b) Update microsoft updates automatically

>
> > > How this may help to avoid SQL injection?

>
> > > Microsoft has recently released SQL injection defense and detection
> > > tools. The tools include URLScan 3.0, and Microsoft Source Code
> > > Analyzer for SQL Injection. Additionally, they refered to HP Scrawlr,
> > > a SQL injection detection tool which you may find interesting too.

>
> > >http://www.microsoft.com/technet/sec...ry/954462.mspx

>
> > This will definitely fix up if any security loopholes by microsoft as
> > we receive various patches.

>
> I think it's a mistake to tell people that application error will be
> fixed by the platform patch. SQL injection is an issue that occurs
> because of poorly written code and not because of loopholes in .NET.
> Programmers should understand the underlying problem of this issue.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sample validation code for sql injection attact =?Utf-8?B?c3M=?= ASP .Net 4 05-09-2006 08:27 AM
Help SQL Injection Attack Question - newbie to web security Ranginald ASP .Net 10 04-27-2006 12:53 AM
SQL injection MattB ASP .Net 10 03-31-2005 05:57 PM
Protecting SQL injection attacks (text input functino) Darrel ASP .Net 9 11-11-2004 08:39 PM
SQL Injection Attacks poppy ASP .Net 4 11-03-2004 05:56 AM



Advertisments