SQL Injection
- From: Niraj Ranka <nirajranka@xxxxxxxxx>
- Date: Thu, 28 Aug 2008 02:50:32 -0700 (PDT)
My server was badly infected by SQL Injection. It was almost eating up
my whole database every hour.
I would recommend few of the below options to be done... to make
oneself more safe.
NOTE: First use the kill char functions to validate proper input.
a) change custome erros to off
b) Update microsoft updates automatically
c) Restrict network access of sql server
Use the Local Security Policy tool to remove the right of the
Everyone group to access the computer from the network. This tool is
located in the Administrative Tools group on the computer.
Disable null sessions to prevent anonymous, or unauthenticated,
sessions. To accomplish this, set the RestrictAnonymous key to 1. This
key is in the Windows registry located at HKEY_LOCAL_MACHINE\System
\CurrentControlSet\Control\LSA.
d) <pages validateRequest="true" ... /> in machine.config
e) Using a RegularExpressionValidator
f) Validate all input as per type of input
validate querystring
void Page_Load(object sender, EventArgs e)
{
if (!System.Text.RegularExpressions.Regex.IsMatch(
Request.QueryString["Name"], @"^[a-zA-Z'.\s]{1,40}$"))
Response.Write("Invalid name parameter");
else
Response.Write("Name is " + Request.QueryString["Name"]);
}
f) Validate Cookie Values
i) MapPath to Prevent Cross Application Mapping
try
{
string mappedPath = Request.MapPath( inputPath.Text,
Request.ApplicationPath,
false);
}
catch (HttpException)
{
// Cross-application mapping attempted
}
j) Code Access Security to Restrict File I/O
<trust level="Medium" />
setting the <trust> element in Web.config or Machine.config.
k) HtmlEncode to Encode Unsafe Output
l) Parameters Collection When You Call a Stored Procedure
Parameters Collection When Building Your SQL Statements
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
myConnection);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add(
"@au_id" ,SqlDbType.VarChar, 11);
Parm.Value = Login.Text;
l) Verify that ASP.NET Errors Are Not Returned to the Client
m) <customErrors mode="remoteOnly" />
Also refer few of below links for more help.
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
http://msdn.microsoft.com/en-us/library/ms998271.aspx
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
http://isc.sans.org/diary.html?storyid=4294
http://www.secureworks.com/research/threats/danmecasprox/
http://blogs.zdnet.com/security/?p=1336
http://channel9.msdn.com/wiki/securitywiki/sqlinjectionlab/
http://www.rotteneggsx.com//r3/show/se/161571.html
.
- Follow-Ups:
- Re: SQL Injection
- From: Alexey Smirnov
- Re: SQL Injection
- Prev by Date: Re: unwanted URL encoding
- Next by Date: What's best practice for connecting to a Sql Server database
- Previous by thread: Windows authentication
- Next by thread: Re: SQL Injection
- Index(es):
Relevant Pages
|
