SQL Injection Attacks, Insecure Servers and the Aftermath

Status
Not open for further replies.

Solonox

New Member
Just from one of the posts i read here just a minute ago about an attack on a website there is one other thing i would like to rant about.

SECURITY!!!!

There are a hell of a lot of good developers out there, however they tend to fall short on security, from all areas. Application and Server levels. No point in having a secure server and then lashing up a donkey bit of code that leaves it vulnerable and vice verse, no point having secure code and a donkey server. Although the bulk of the time it is a combination of both.

To start with you need to nail down your server configurations and firewall configurations. I would highly recommend using Nessus, ISS and Nmap to scan your server. These applications will give you a very solid starting point. - Anyway that was just a side topic.

The main thing that gets my goat is the lack of Data Sanitizing. I have done security audits on a lot of high profile sites, that you would assume are secure... and low and behold, they are vulnerable. In some cases the level of the security threat is not too severe.. simple injection attacks etc.. However then you hit e-commerce sites where you can retrieve user details, bypass logins etc.. All of which can be controlled by correct Data Santizing.

SQL Injection Attack
For those of you who don't know a SQL Injection Attack is an instance where data supplied by the user or application has not been checked for illegal characters. So basically what happens then is... You are passing a value through your URL which looks something like...

www.domain.com/page.aspx?ID=10

So lets say ID 10 is retrieved by page.aspx and used in a SQL Statement to retrieve all contents where ID is equal to 10...

Not a problem, all will work fine.. untill someone pops your bubble and throughs an illegal arguement into the mix.

So you now have something like

www.domain.com/page.aspx?ID=10'

This ' char will in a nutshell allow an attack to append there own SQL statement to the existing one you are already using.

A very crued example but you get where im going with it...

So what you need to do is make sure you are passing the values your SQL statement expects.. and ONLY those values. If it is numeric, check that it is numeric, if it is text make sure you strip illegal chars etc..

It is a very simple task, but it is overlooked by a large majority of developers. Not always because of a lack of understanding, but mainly because of lazyness.

Botnets
Now im not going to go into detail on how botnets work, or what they are.. that is a job for you and google. However the prime indicator that your site has been hit by a BotNet SQL Injection Attack will be the injection of a <script></script> tag in your dynamic fields, these will primarily be referencing .js files on a 3rd party site. These js files try to to exploit more recently discovered vulnerabilities within browsers, in order to install spyware, malware etc.. on to your machine.

If this has been the case and has gone unnoticed, you will find yourself black flagged on google. You will need to clean up your data before you can resumbit to google to have the warning lifted.

Boring Cleanup
A simple script to cleanup a fields in your database would be:

DECLARE @numX int
DECLARE @txtLength int
DECLARE @Pointer binary(16)
DECLARE @Position int
DECLARE @BadString varchar(200)
SET @BadString = '<script src=http://www.bce8.ru/ngg.js></script>'
SET @numX = 0
DECLARE oCursor cursor local fast_forward
FOR
SELECT textptr(
COLNAME), charindex(@BadString, COLNAME) -1
FROM TABLENAME
WHERE COLNAME LIKE '%' + @BadString + '%'

SET @txtLength = len(@BadString)
OPEN oCursor
FETCH NEXT FROM oCursor INTO @Pointer, @Position
WHILE @@fetch_status = 0
BEGIN
SET @numX = @numX + 1
UPDATETEXT TABLENAME.
COLNAME @Pointer @Position @txtLength
PRINT @@ERROR
FETCH NEXT FROM oCursor into @Pointer, @Position
END
PRINT 'numX = ' + Cast(@numX as varchar(10))
CLOSE oCursor
DEALLOCATE oCursor

You can get more creative with the script if you need to, but this will do for a basic starting point.

Check Check Check
One of the best tools i use for doing automated vulnerability testing is Acunetix. This application is WONDERFUL and really takes the work out of Blind and Black Box testing.

Anyway... that was just my two cents worth.. I KNOW!!! i didn't go into much detail, but if there are any specific questions just ask.. haha

All joking aside though, it is a real problem, a lot of sites i have seen suffer with this problem.

Okay .. stepping down off my soap box ..
 

nevf

New Member
Thanks for that post Solonox.

I have a brother who's doing Software Development at college in the final year. He's learning aspx as a core part of his course. And he was showing me how he's basically able to crack into websites.

Unbelievable.
 

n3tFl0w

New Member
Nice post. Good to have someone remind us every so often to think about security more... I'm about to start a new project and this has become my new resolution. Make it secure!:D
 
Status
Not open for further replies.
Top