SQL Injection Hijinks

or Why I Keep Harping On Blacklisting   Summary: An incident reveals attempts to get around blacklisting by manipulating behavior in ASP, illustrating the weakness of blacklist approaches. A new version of UrlScan is shipping today with a change specifically to address this. Discussion: I was working with a colleague on an incident last week…


Input Validation Is Not The Answer

I just sent a piece of e-mail to my team about input validation and SQL injection and it occurred to me that I’ve been meaning to get into this here, too: If you’re trying to solve a SQL injection problem, input validation is NOT the answer! There, I’ve said it.   I keep seeing blog…


SQL Storm: Possible ASP.Net

I’ve had an unconfirmed report that the SQL Storm attacks are now also affecting ASP.Net pages, specifically with a  URL of http://www.chliyi.com/m.js (this appears to be offline currently but I wouldn’t suggest browsing there…) being injected into those pages.  My team hasn’t worked on any incidents yet so I can’t confirm that it is the…


SQL Injection: Trends & Guidance

I’ve been working with the SWI team to write a comprehensive overview of the SQL Storm attacks with guidance for IT administrators, developers, and end users.  That article is posted at sql-injection-attack.aspx. For developers, specifically, Bala Neerumalla has written an excellent overview of SQL injection and classic ASP code for MSDN at cc676512.aspx.  This is…



My colleague Greg, who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it dubbed today).  This is a fairly convenient approach to searching logfiles on an IIS…


SQL Injection Mitigation: Using Parameterized Queries part 2 (types and recordsets)

(Part 1 is here) Previously, I provided a simple example of using parameterized queries in classic ASP; however, that sample lacked a few things such as explicit typing for the parameters.  It also created a read-only ADODB.RecordSet which, obviously, isn’t one-size-fits-all. Typing In the last installment, we had worked up this code to do our…


SQL Injection Mitigation: Using Parameterized Queries

Michael Howard wrote an excellent article yesterday on how the SDL addresses SQL injection.  He walks through three coding requirements/defenses: Use SQL Parameterized Queries Use Stored Procedures Use SQL Execute-only Permissions As Michael points out, only the first, parameterized queries, remedies the problem.  The other two provide additional defense. The good news is that changing…


SQL Injection — A Comment

Kumar comments here and I think he has some questions/concerns that are worth addressing.  I’m going to add my own comments (and, please note, the comments I make here are my own and do not necessarily reflect Microsoft’s corporate opinions). ————————————————————————————— My site extensively uses asp and sql server. My site ranking is good with…


Mass SQL Injection — Get Used To It

It looks like another wave of the mass SQL injection I talked about last month is going on.  The inserted link is different and, in the one specific incident I’ve seen, the source IP address is different; however, other than that, the attack looks to be identical. 2.1K websites so far, this month.


Anatomy of a SQL Injection Incident, Part 2: Meat

Intro It would appear that the incident I wrote about yesterday is still ongoing.  I’ve been using a search engine to query for the *.js file that’s being injected and it looks something like this: Wednesday: 10K hits (This is Avert’s number.  I didn’t look until Thu.) Thursday: 12.1K hits Friday: 12.9K hits Saturday: 14K…