SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 Preventing sql injection
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

parrot
Posting Yak Master

USA
132 Posts

Posted - 01/10/2013 :  00:04:38  Show Profile  Reply with Quote
After going through an experience of having my database infected with sql injection and then fixing the problem, I reviewed the log file and learned of some of the characters hackers use in sql injection. To prevent further attacks I added requestFiltering to my web.config file. It is placed within the <security> block as shown below:

<requestFiltering>
<denyUrlSequences>
<add sequence="--"/>
<add sequence="varchar"/>
<add sequence="+exec"/>
<add sequence="+declare"/>
<add sequence="+cast"/>
<add sequence="=cast"/>
<add sequence="@@version"/>
</denyUrlSequences>
</requestFiltering>

This code will stop any data in a url stream that contains the above characters. So a url that reads http://www.mywebsite.com?code=varchar(8000) will be rejected by the sever and will throw an error. However, I also went the extra step and edited for these characters in any input fields as well. Doing this in combination with using parameterized queries should stop most sql injection.

visakh16
Very Important crosS Applying yaK Herder

India
52317 Posts

Posted - 01/10/2013 :  00:30:19  Show Profile  Reply with Quote
See other ways of stopping sql injection attacks

------------------------------------------------------------------------------------------------------
SQL Server MVP
http://visakhm.blogspot.com/

Go to Top of Page

robvolk
Most Valuable Yak

USA
15675 Posts

Posted - 01/10/2013 :  07:27:35  Show Profile  Visit robvolk's Homepage  Reply with Quote
Here's some more resources:

http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

I would even suggest not using the querystring for passing parameters, and only use form elements in the request header. This doesn't really make it more secure, but it helps identify any attackers that append text to a querystring.

I just recently read an interesting injection article, I'll have to find and post it later. Best part is that the site being hacked is still up and vulnerable.
Go to Top of Page

robvolk
Most Valuable Yak

USA
15675 Posts

Posted - 01/10/2013 :  10:45:25  Show Profile  Visit robvolk's Homepage  Reply with Quote
Here it is:

http://www.securitylearn.net/2013/01/07/sql-injection-exploitation-and-dumping-the-database/

It's not too hard to figure out which site this is and play with it on your own. You'll see how easy it is to play around with querystring parameters and get data back.
Go to Top of Page

parrot
Posting Yak Master

USA
132 Posts

Posted - 01/10/2013 :  10:58:48  Show Profile  Reply with Quote
I should also mention that if my program data validation routine detects suspect data, I capture the ip address associated with the input and send myself and email noting the time, ip address, data field name and data content. I also write this to an error log. This way I can add the ip address to a deny list in my web.config file after checking to see the geo location of the ip address. In my sql injection episode I found out the ip address was located in Germany. For those who want to know the offender's ip address it is 109.230.251.12. I added this ip address to my web.config file in the <security> block as follows:

<ipSecurity>
<add ipAddress="141.136.17.150" allowed="false" />
<add ipAddress="193.107.16.97" allowed="false" />
<add ipAddress="217.106.238.157" allowed="false" />
<add ipAddress="109.230.251.12" allowed="false" />

</ipSecurity>

The above ip addresses are from Bulgaria, Russia, and Germany. Feel free to put them on your deny list. I would add all ip addresses from Russian block countries if I could but that is impossible to determine.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000