MSMVPS.COM

The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Welcome to MSMVPS.COM Sign in | Help
in Search
Home Blogs Media Groups

Harry Waldron - Microsoft MVP Blog

Security News and Best Practices for corporate and home users

SSWUG Newsletter - Update on Large-scale SQL Injection Attacks

Idea  Stephen Wynkoop, founder of SSWUG (SQL-Server World-wide Users Group) shares an interesting update in today's SSWUG Newsletter, related to the recent SQL Injection attacks. Over 500,000 web pages were infected with malware related scripts.

The attacks were due to web developers taking short-cuts (e.g., not fully editing input sent to the SQL-Server environment). While the website might work with normal input from the user, it's also important to have safeguards in for malicious injection attempts as well.

QUOTE: SQL Injection Hack Attack -- Poor Coding Techniques to Blame

There are SO many people writing about this whole IIS hack attack that I wrote about yesterday. What's odd is the very few of them that get it. I've seen the issues blamed on everything from SQL Server not having granular-enough permissions controls to flaws in the OS. I don't get it. This is just about coding techniques, nothing more. It's not a "feature" or "bug" being exploited.

When you accept input from a user and pass it blindly to the database engine, you are asking for trouble. When you don't control the input, don't control how it's presented to the engine for processing, you're asking for trouble. It really is that simple.

It's too easy for people to build sites with "dynamic SQL" - making changes to the SQL statements on the fly. "Select * from " + user_input is asking for trouble.

It's simple. if your applications accept input from users, you need to make sure you've taken steps to properly pass information from your application to the server and back again as you display it. If you're not doing this now, if you have not built this into your application design, review and development processes, you're asking for people to exploit your system. If you're not sure - find out. Learn what was built into the application. Consider using a tool to stay on top of new techniques and approaches.

Hacker Safe is one such tool - take a look at what they're doing and you'll get a great idea of the types of things to be aware of. (Not affiliated)

McAfee's "Hacker Safe" - Site Verification Tool
http://www.hackersafe.com/site/en/security/intro/

SQL-Server World-wide Users Group (SSWUG) - Home Page
http://www.sswug.org

Only published comments... May 01 2008, 07:37 PM by Harry Waldron

Comments

 

Sql Servers said:

THe hacker safe link now goes to Mcaffe but then shows page not found oops.  

September 27, 2008 10:52 AM

Leave a Comment

(required) 
(optional)
(required) 
Submit

This Blog

Syndication

Recent Posts

Archives

Personal Links


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems