SQL Injection Hijinks

or Why I Keep Harping On Blacklisting   Summary: An incident reveals attempts to get around blacklisting by manipulating behavior in ASP, illustrating the weakness of blacklist approaches. A new version of UrlScan is shipping today with a change specifically to address this. Discussion: I was working with a colleague on an incident last week…

1

PASSGEN

Occasionally, I see a security incident where one of the things that went wrong was that all of the customer’s machines have the same password for the built-in administrator’s account.  Whenever this happens, I suggest the PASSGEN tool that was included with the book "Protect Your Windows Network" by Steve Riley and Jesper Johansson.  Obviously,…

1

Err

I might be the last person to know this but one of my favorite internal Microsoft tools is now external.  Err.exe is a command-line tool that looks up error codes and spits out possible matches from various header files.  This is invaluable when you’re reading through a log and run across something like “Failed, err…

0

Input Validation Is Not The Answer

I just sent a piece of e-mail to my team about input validation and SQL injection and it occurred to me that I’ve been meaning to get into this here, too: If you’re trying to solve a SQL injection problem, input validation is NOT the answer! There, I’ve said it.   I keep seeing blog…

2

Forefront Server Security Management Console, Templates, and Revisions

Sometimes, working in support, you come across a best practice or a bit of knowledge that is well-known to some people…but that bit of knowledge has never actually been documented.  Today was one of those days. While working in an environment with multiple Exchange Server 2003 servers running Antigen 9.1 Hotfix Rollup 3, we had…

0

Does This Make Me A Fanboy?

I upgraded my iPhone to the 2.0 firmware today and I’ve been playing with the app store all day.  It’s pretty neat stuff. Since I’m on a conference call tonight but I’m only here in an advisory/observational way, I put my phone on mute and kept playing with the app store.  I downloaded the PhoneSaber…

0

Antigen 9.1 Hotfix Rollup 3 and Performance Monitor

While investigating an issue where mail was queuing in the Exchange Information Store, we discovered an issue that affects customers running Antigen 9.1 Hotfix Rollup 3 when there are performance monitoring tools such as Perfmon, Perfwiz, and the MOM client running.  This issue will manifest itself as mail queuing (and never un-queueing), particularly immediately after…

0

SQL Storm: Possible ASP.Net

I’ve had an unconfirmed report that the SQL Storm attacks are now also affecting ASP.Net pages, specifically with a  URL of http://www.chliyi.com/m.js (this appears to be offline currently but I wouldn’t suggest browsing there…) being injected into those pages.  My team hasn’t worked on any incidents yet so I can’t confirm that it is the…

0

SQL Injection: Trends & Guidance

I’ve been working with the SWI team to write a comprehensive overview of the SQL Storm attacks with guidance for IT administrators, developers, and end users.  That article is posted at sql-injection-attack.aspx. For developers, specifically, Bala Neerumalla has written an excellent overview of SQL injection and classic ASP code for MSDN at cc676512.aspx.  This is…

0

SQLInjectionFinder

My colleague Greg, who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it dubbed today).  This is a fairly convenient approach to searching logfiles on an IIS…

0