Re: Tools For Scanning Data?
- From: "Arnie Rowland" <arnie@xxxxxxxx>
- Date: Mon, 11 Sep 2006 11:41:31 -0700
1. No automated tools that I know of. You could search though the code looking for occurrences of certain characters and examine the stored procedures that contain them, for example check all procedures that have a angle bracket -of course some will be legitimate usage of greater/lesser than characters -but at least you will find and examine them.
SELECT ROUTINE_NAME
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ( ROUTINE_DEFINITION LIKE '%>%'
AND ROUTINE_DEFINITION NOT LIKE '%>=%'
)
2. What you are concerned about is the occurrence of calls to those stored procedures within your database procedures.
SELECT ROUTINE_NAME
FROM INFORMATION_SCHEMA.ROUTINES
WHERE ROUTINE_DEFINITION LIKE '%[sx]p[_]%'
--
Arnie Rowland, Ph.D.
Westwood Consulting, Inc
Most good judgment comes from experience.
Most experience comes from bad judgment.
- Anonymous
<corey.burnett@xxxxxxxxx> wrote in message news:1157998366.719556.301930@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Arnie Rowland wrote:
Corey,Arnie,
It's quite unlikely, even virtually impossible (but impossible only means that I haven't yet discovered a way...) to get anything into varchar fields that can then be retrieved and used against the SQL Server. In this case, Cross Site Scripting (CSS) would be limited to embedded html that could be used to 'deface' a web site.
Since you are concerned that a hacker may have had access to the sa account, you are wise to inspect, even replace from source control, the code objects. I would especially search for stored procedures with sp_addlogin, sp_addsrvrolemember, and sp_addrolemember -in fact, I would look for, and examine, any use of '%sp_%' or '%xp_%' in the DEFINITION column of INFORMATION_SCHEMA.ROUTINES.
I would also thoroughly verify each and every login transferred to the new server, even changing all passwords if possible.
--
Arnie Rowland, Ph.D.
Westwood Consulting, Inc
Thanks for your reply. A couple of follow up items...
1. Are there any automated tools to help clean up embedded HTML in your
SQL Server data? Specifically to fix Cross Site Scripting problems?
2. If we are transferring a database from the old SQL Server to a new,
freshly installed SQL Server, do I still need to worry about the stored
procedures that you mentioned? (sp_addlogin, sp_addsrvrolemember,
sp_addrolemember are all in master - correct?)
Thanks,
Corey
- Follow-Ups:
- Re: Tools For Scanning Data?
- From: mauser
- Re: Tools For Scanning Data?
- References:
- Tools For Scanning Data?
- From: corey . burnett
- Re: Tools For Scanning Data?
- From: Michael Hotek
- Re: Tools For Scanning Data?
- From: corey . burnett
- Re: Tools For Scanning Data?
- From: Arnie Rowland
- Re: Tools For Scanning Data?
- From: corey . burnett
- Tools For Scanning Data?
- Prev by Date: Securing local sql server express MDF/LDF
- Next by Date: Re: Securing local sql server express MDF/LDF
- Previous by thread: Re: Tools For Scanning Data?
- Next by thread: Re: Tools For Scanning Data?
- Index(es):
Relevant Pages
|
