New SQL Injection attacks - The need to improve Legacy Web Applications
SQL Injection attacks provide an easy way to add malicious redirecting scripts on web sites. Most mainstream Internet sites use secure coding conventions (e.g., ADO, parameterized lists to SQL call statement, well written stored procedures, etc.)
Prior to these automated SQL infection attacks, some developers may not have been aware of the controls needed (e.g., lack of training or awareness on the need for filtering controls). It was also much easier to get the web pages developed without having to place the extra security logic in.
SQL injections have been around for years, (e.g., including several posts starting in 2004 contained in this blog). The automation and popular use of SQL injection attacks have now changed the landscape, where the monitoring and prevention of automated SQL injection must be performed by everyone.
As the ISC documents another new attack is circulating, which now embeds the attack into a single SQL statement. Three good controls were shared for legacy web applications as follows:
Internet Storm Center - New SQL Injection attacks
QUOTE: We continue to receive more reports of SQL injection attacks, using updated URLs. One of the "neat" features of this exploit is how it uses one single SQL statement which will pull all the necessary information from the database itself.
RECOMMENDATIONS: Finally: How to defend against this? The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:
* Limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables
* Monitor your webapplication for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges