Thought if you missed this you may want to check this out.
New Onslaught of Injection Happening as We Speak
Just a heads-up. There is a new injection wave happening right now – it’s a blind injection routine that simply tries to run against your web-based application without regard to whether you’re returning error messages or providing feedback that a hacker can use against you.
We’ve talked about injection before – and I’m putting together a workshop about it to talk about things you need to know about, what we’ve seen, mistakes we’ve made along the way (and learned from) and much more. The key things:
– check inputs – if it’s supposed to be a number, make sure it is. Check out isnumeric()
– use stored procedures, pass in parameters. SQL Server will forced the parameters to the right value type and won’t execute the statement, but rather just treat it like data.
– clean your inputs – watch for single quotes, “CAST” and the things you should have no business seeing on your inputs.
One thing – many people filter on keywords. Those won’t trip on these types of injection attacks. The reason is because the hackers are asking SQL Server to interpret the data and create a SQL statement, then execute it. It’s not like they’re passing in a statement that you can filter out “UPDATE” keywords and the like.
Lastly, do ALL of the protective things, all the time and test your system continually. Don’t do some, some of the time. You’ll get bit.