| Author |
Topic |
|
sanjivus
Starting Member
16 Posts |
 Posted - 2008-05-01 : 23:56:21
|
| I am a developer not a SQL administrator. We have site written in classic ASP using backend as SQL 2000 + SP4 running on Windows 2003 + SP2.We have seen a successfull SQL injection attak on our site. I am doing my best to update the ASP code so that we can prevent it in future.I am looking for 2 things from SQL gurus:1.) I need to create a SQL login with least privileges. I dont know how to do that.2.)What are the things I should check/verify after the attack.Thanks for your help in advance. |
|
|
AndrewMurphy
Master Smack Fu Yak Hacker
2916 Posts |
Posted - 2008-05-02 : 07:15:57
|
| Remove your inline code and/or dynamic sql and replace with stored procedures and parameterised queries. Read more advice on SQL injection posted elsewhere on this site. |
 |
|
|
sanjivus
Starting Member
16 Posts |
Posted - 2008-05-04 : 19:14:56
|
| I am working on to update the ASP code. I really need help to create a login which can insert/update records and execute stored procedures.So far I have:Created a SQL server login.Server Roles: I have not selected any.Database roles Tab: I have selected the database. Under Databse Roles 'MyDatabse' I have selected public,db_datareader, db_datawriterI am not sure what else to do. I did not find any option where to allow the permission to execute stored procedures.All the tables and Stored procedures are owned by dbo.I Would appreciate if some one can point me to some article/web resource.Thanks in Advance. |
|
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2008-05-04 : 19:23:41
|
| Sql books online tells you how. |
|
|
|
sanjivus
Starting Member
16 Posts |
Posted - 2008-05-04 : 19:55:25
|
| I have found some information, just wanted to verify with SQL security experts.I have created a database-role and checked select,insert,update for the required tables and I have selected execute for required stored procedures.I have added my user to this database role.Am i going in the right direction? |
|
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2008-05-04 : 19:56:13
|
| Sounds right. |
|
|
|
sanjivus
Starting Member
16 Posts |
Posted - 2008-05-04 : 20:01:32
|
| Thanks rmiao... anyone has any additional comments ? |
|
|
|
jsmith8858
Dr. Cross Join
7423 Posts |
Posted - 2008-05-04 : 20:47:45
|
| Again, you must be sure that you are not concatenating input into sql commands and executing them; all of your input must be done via parameters. Show us an example of your typical ASP code that executes SQL and/or stored procedures.- Jeffhttp://weblogs.sqlteam.com/JeffS |
|
|
|
pootle_flump
1064 Posts |
Posted - 2008-05-06 : 09:28:14
|
| Agreed. It sounds like your app may combine dynamic sql with SA login. Changing the login will only mean that the scope of future attacks will be more limited, not that they are prevented. |
|
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2008-05-06 : 11:07:33
|
| You can restrict your users to certain tables and sprocs, but if they execute SQL injection through those sprocs then they may get access beyond what you have granted them directly.e4 d5 xd5 Nf6 |
|
|
|
|
SQL Injection Attack