Archive for July 21, 2009

SSWUG Newsletter

Posted: July 21, 2009 in Uncategorized

Thought if you missed this you may want to check this out.

New Onslaught of Injection Happening as We Speak
Just a heads-up.  There is a new injection wave happening right now – it’s a blind injection routine that simply tries to run against your web-based application without regard to whether you’re returning error messages or providing feedback that a hacker can use against you. 

The hack uses the fairly well-known technique of walking through your user tables and updating character columns to insert a javascript reference.  What’s interesting is that the routines that are doing the poking appear to be re-attempting access numerous times and look to be automated, but we’re not sure.  Remember to watch your form parameters that you’re passing in – checking each of them for tell-tale injection issues.  

We’ve talked about injection before – and I’m putting together a workshop about it to talk about things you need to know about, what we’ve seen, mistakes we’ve made along the way (and learned from) and much more.  The key things:

– check inputs – if it’s supposed to be a number, make sure it is.  Check out isnumeric()
– use stored procedures, pass in parameters.  SQL Server will forced the parameters to the right value type and won’t execute the statement, but rather just treat it like data.
– clean your inputs – watch for single quotes, “CAST” and the things you should have no business seeing on your inputs.

One thing – many people filter on keywords.  Those won’t trip on these types of injection attacks.  The reason is because the hackers are asking SQL Server to interpret the data and create a SQL statement, then execute it.  It’s not like they’re passing in a statement that you can filter out “UPDATE” keywords and the like.  

Lastly, do ALL of the protective things, all the time and test your system continually.  Don’t do some, some of the time.  You’ll get bit.