SQL Injection Hijinks

or Why I Keep Harping On Blacklisting   Summary: An incident reveals attempts to get around blacklisting by manipulating behavior in ASP, illustrating the weakness of blacklist approaches. A new version of UrlScan is shipping today with a change specifically to address this. Discussion: I was working with a colleague on an incident last week…

1

Input Validation Is Not The Answer

I just sent a piece of e-mail to my team about input validation and SQL injection and it occurred to me that I’ve been meaning to get into this here, too: If you’re trying to solve a SQL injection problem, input validation is NOT the answer! There, I’ve said it.   I keep seeing blog…

2

SQL Storm: Possible ASP.Net

I’ve had an unconfirmed report that the SQL Storm attacks are now also affecting ASP.Net pages, specifically with a  URL of http://www.chliyi.com/m.js (this appears to be offline currently but I wouldn’t suggest browsing there…) being injected into those pages.  My team hasn’t worked on any incidents yet so I can’t confirm that it is the…

0

SQL Injection: Trends & Guidance

I’ve been working with the SWI team to write a comprehensive overview of the SQL Storm attacks with guidance for IT administrators, developers, and end users.  That article is posted at sql-injection-attack.aspx. For developers, specifically, Bala Neerumalla has written an excellent overview of SQL injection and classic ASP code for MSDN at cc676512.aspx.  This is…

0

SQLInjectionFinder

My colleague Greg, who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it dubbed today).  This is a fairly convenient approach to searching logfiles on an IIS…

0

SQL Injection Mitigation: Using Parameterized Queries part 2 (types and recordsets)

(Part 1 is here) Previously, I provided a simple example of using parameterized queries in classic ASP; however, that sample lacked a few things such as explicit typing for the parameters.  It also created a read-only ADODB.RecordSet which, obviously, isn’t one-size-fits-all. Typing In the last installment, we had worked up this code to do our…

9

SQL Injection Mitigation: Using Parameterized Queries

Michael Howard wrote an excellent article yesterday on how the SDL addresses SQL injection.  He walks through three coding requirements/defenses: Use SQL Parameterized Queries Use Stored Procedures Use SQL Execute-only Permissions As Michael points out, only the first, parameterized queries, remedies the problem.  The other two provide additional defense. The good news is that changing…

14

SQL Injection -- A Comment

Kumar comments here and I think he has some questions/concerns that are worth addressing.  I’m going to add my own comments (and, please note, the comments I make here are my own and do not necessarily reflect Microsoft’s corporate opinions). ————————————————————————————— My site extensively uses asp and sql server. My site ranking is good with…

1

Mass SQL Injection -- Get Used To It

It looks like another wave of the mass SQL injection I talked about last month is going on.  The inserted link is different and, in the one specific incident I’ve seen, the source IP address is different; however, other than that, the attack looks to be identical. 2.1K websites so far, this month.

0

Anatomy of a SQL Injection Incident, Part 2: Meat

Intro It would appear that the incident I wrote about yesterday is still ongoing.  I’ve been using a search engine to query for the *.js file that’s being injected and it looks something like this: Wednesday: 10K hits (This is Avert’s number.  I didn’t look until Thu.) Thursday: 12.1K hits Friday: 12.9K hits Saturday: 14K…

14