0 Replies Latest reply on Apr 28, 2008 12:46 PM by HarryWaldron

    Weak SQL coding techniques result in Huge SQL Injection attacks

      A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents.

      A major wave of automated SQL Injection attacks are occurring. These have been designed and coded for the IIS and SQL-Server environments. There are no new vulnerabilities in these projects, as the attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the website)

      Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best developmental practices. Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.

      Huge SQL Injection attacks infect 500,000 pages
      http://www.f-secure.com/weblog/archives/00001427.html
      http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleI d=9080580
      http://hackademix.net/2008/04/26/mass-attack-faq/

      QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages. We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

      IIS Blog - SQL Injection Attacks on IIS Web Servers
      http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-s ervers.aspx

      QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.

      MSRC Blog - Questions about Web Server Attacks
      http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-atta cks.aspx

      QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.

      BEST PRACTICES - How to protect against SQL Injections
      http://msdn2.microsoft.com/en-us/library/ms998271.aspx

      -- Learn how SQL injection attacks work.
      -- Constrain input to prevent SQL injection.
      -- Use type safe SQL command parameters to prevent SQL injection.
      -- Use a least privileged account to connect to the database.
      -- Learn additional countermeasures to further reduce risk.


      What are SQL Injection attacks?
      http://en.wikipedia.org/wiki/SQL_injection
      http://msdn2.microsoft.com/en-us/library/ms161953.aspx
      http://msdn2.microsoft.com/en-us/library/bb671351.aspx

      QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.