Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 Preventing sql injection

Author  Topic 

parrot
Posting Yak Master

132 Posts

Posted - 2013-01-10 : 00:04:38
After going through an experience of having my database infected with sql injection and then fixing the problem, I reviewed the log file and learned of some of the characters hackers use in sql injection. To prevent further attacks I added requestFiltering to my web.config file. It is placed within the <security> block as shown below:

<requestFiltering>
<denyUrlSequences>
<add sequence="--"/>
<add sequence="varchar"/>
<add sequence="+exec"/>
<add sequence="+declare"/>
<add sequence="+cast"/>
<add sequence="=cast"/>
<add sequence="@@version"/>
</denyUrlSequences>
</requestFiltering>

This code will stop any data in a url stream that contains the above characters. So a url that reads http://www.mywebsite.com?code=varchar(8000) will be rejected by the sever and will throw an error. However, I also went the extra step and edited for these characters in any input fields as well. Doing this in combination with using parameterized queries should stop most sql injection.

visakh16
Very Important crosS Applying yaK Herder

52326 Posts

Posted - 2013-01-10 : 00:30:19
See other ways of stopping sql injection attacks

------------------------------------------------------------------------------------------------------
SQL Server MVP
http://visakhm.blogspot.com/

Go to Top of Page

robvolk
Most Valuable Yak

15732 Posts

Posted - 2013-01-10 : 07:27:35
Here's some more resources:

http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

I would even suggest not using the querystring for passing parameters, and only use form elements in the request header. This doesn't really make it more secure, but it helps identify any attackers that append text to a querystring.

I just recently read an interesting injection article, I'll have to find and post it later. Best part is that the site being hacked is still up and vulnerable.
Go to Top of Page

robvolk
Most Valuable Yak

15732 Posts

Posted - 2013-01-10 : 10:45:25
Here it is:

http://www.securitylearn.net/2013/01/07/sql-injection-exploitation-and-dumping-the-database/

It's not too hard to figure out which site this is and play with it on your own. You'll see how easy it is to play around with querystring parameters and get data back.
Go to Top of Page

parrot
Posting Yak Master

132 Posts

Posted - 2013-01-10 : 10:58:48
I should also mention that if my program data validation routine detects suspect data, I capture the ip address associated with the input and send myself and email noting the time, ip address, data field name and data content. I also write this to an error log. This way I can add the ip address to a deny list in my web.config file after checking to see the geo location of the ip address. In my sql injection episode I found out the ip address was located in Germany. For those who want to know the offender's ip address it is 109.230.251.12. I added this ip address to my web.config file in the <security> block as follows:

<ipSecurity>
<add ipAddress="141.136.17.150" allowed="false" />
<add ipAddress="193.107.16.97" allowed="false" />
<add ipAddress="217.106.238.157" allowed="false" />
<add ipAddress="109.230.251.12" allowed="false" />

</ipSecurity>

The above ip addresses are from Bulgaria, Russia, and Germany. Feel free to put them on your deny list. I would add all ip addresses from Russian block countries if I could but that is impossible to determine.
Go to Top of Page
   

- Advertisement -