The number of SQL Injection attacks across the Internet continue to rise. I’m seeing regular posting on the SANS RSS feed related to SQL Injection and XSS these days and clients are finding that applications they thought were not vulnerable turn out to be vulnerable because of patches and custom mods they’ve had made to them.  For most site owners this meant going back to the developers and getting updates and this is generally costly and time consuming. Fortunately, Microsoft has stepped up to the plate and brought us a little relief in the form of URLScan 3.0 beta/go-live release.

Here’s a few links to get you to good stuff and hopefully save the day:

Microsoft Security Bulletin: http://www.microsoft.com/technet/security/advisory/954462.mspx

Link to download HP’s custom SQL injection scanner and how to use it. They created this for Microsoft to help you identify possible vulnerabilities in your site.

A source code analysis application that can help identify vulnerable code in your application.

UrlScan 3.0 Beta. I’m generally opposed to installing beta software on a production webserver but I think if you’re getting hammered, it’s probably better to just bite the bullet and do it.  As you probably know UrlScan was for the most part built into IIS 6 but it doesn’t have querystring filtering, this build does and it works with IIS5.1 and later including our beloved IIS 7.0. Kudos to the IIS Team!

Word of caution

Word of caution, I’ve installed this for a few people and a couple times it wouldn’t load after the initial install (Beta software). My fix for this was to install the ISAPI filter directly on the website in question. I used Filemon to watch for when it triggered and referenced the log files to tweak out false positives from there. Each site is unique so you’ll need to tweak your settings accordingly.

Another useful tool

LogParser is another great tool for reviewing your server logs and searching for information such as hack attempts. Steve Schofield has a nice write up about using LogParser and URLScan.

A few FAQ’s on this subject:

Q: Is it Microsoft’s fault and if not then who’s fault is it?
A: It’s yours and your developer’s fault. As hackers evolve so much our techniques to combat them.  Coding methods and ways to access SQL server have changed over the years as a result of this and if you haven’t had your site updated, then it’s your fault.

Q: I just moved my website to a new server and I’m getting hacked now and I wasn’t before. It’s the new server right?
A: No. This is a new type of worm if you will that affecting websites the fact that you changed hosts, websites or applications probably doesn’t have anything to do with it at all. This really started to become a huge problem around late April of this year and we’ve watched it grow into a bigger problem since then.

Q: Is URLScan the answer to my prayers?
A: Consider it a stopgap you’ll be able to employ until you’ve had your web applications updated. You really need to get your application secured.

Q: I haven’t been attacked, how do I know if I’m vulnerable?
A: Use the two tools above and also you might want to hire a service to do website security scans. If you’re hosted with Applied Innovations you can you get free quarterly security scans from scanalert.com.

Q: What kinds of applications are vulnerable? Is it just shopping carts?
A: Every application that accesses a database server of any kind is potentially vulnerable.

Q: My website is written in XXXX language and it’s supposed to be very secure, am I vulnerable?
A: Potentially, YES! Any web application that uses a database can be vulnerable.

With the new addition to the family I’ve got a renewed interest in taking photographs (and video) and ofcourse sharing them. Yeah, I’m one of those Dads.  So today I wanted to crop a image for William’s website (yeah, not even 5 days old and he’s already got his own website at http://williamcoburn.net ). The image I wanted to crop and enhance was of the wallpaper border in his room of Pooh Bear.  The only tools I had available on my desktop were picasa and snag-it.

So the first thing I started to do was download a trial of photoshop elements or paint shop pro (I miss the days JASC provided it). Then it struck me that Adobe recently made an online version of photoshop available called adobe photoshop express. I created a free account, uploaded the image was able to enhance, rotate and crop it within 5 minutes and the finished product is visible on William’s site.

So here’s a few online photo editors available for free (I love freebies):

Adobe Photoshop Express - Adobe’s actually late to the game but they have the name and reputation to bring them to #1 pretty quickly if not already.

FotoFlexer -  This is actually my favorite of the ones I played with tonight. It has a lot of features the others don’t seem to have and little gadgets I love like inserting your own face in a picture, creating little inspirational posters, etc.

Splashup - It seemed pretty basic to me and I really didn’t get that involved with it.

Picnik - I enjoyed using this one and found it really intuitive.

I also found a couple ASP.NET projects that seemed to offer basic features and could make a nice little runner up. Who knows maybe you’ll see photoeditor.jesscoburn.com before long

The folks over at Early Impact (makers of ProductCart) have released a tool to help remove JavaScript code from a SQL database that may have been hacked as part of the SQL Injection attacks taking place today on the Internet.  Here’s the details from their newsletter and a link to the SQL query you can execute.  Please be warned, I haven’t tested this so make sure you have a backup before executing it (just in case):

If your database is hacked

If your store is hacked (JavaScript code added to fields such as product names and descriptions), follow these steps

• Turn off the store
• Clean up the database by either:
  • Restoring a back-up copy
  • Running a query symmetrical to the offending query (download the SQL query here). Load the query in MS SQL query analyzer and run it multiple times until it says that “0 rows were affected”. Ask your Web master to do this for you, or open a support ticket with Early Impact. Note that this method might not be 100% effective.
• Make sure that you have installed the updated files above (and any other files that might be released related to this Security Alert).
• Re-open the store

It’s a shame but not many website owners or for that matter, web developers are familiar with what SQL Injection is and just why it’s something they need to worry about.  I’m noticing through various forums, friends, etc an increased number of sites being exploited for Cross Site Scripting through SQL Injection.  Most blog readers are going to say “HUH? Cross Eyed Scripting? What Injection?”

Here’s what I’m talking about, a hacker will come to your website and use SQL injection to gain access to your database so he can then run SQL queries against your database directly. He not only will have full read access to your database contents (if it’s an e-commerce site you are encrypting your customer information, right?) but he’ll be able to modify your database and place his own code in there.  What you might find is some iframe HTML code that’s calling some JavaScript file (www.domain.com/hackerscript.js) trying to make that load in your site instead of your actual content. Then some website visitor comes to your site and their browser attempts to run this JavaScript which downloads and installs a Trojan on their computer. Now not only is your site hacked but you’re spreading malware all over the Internet and if you don’t do something about it soon, you’re going to get flagged by Google and the other search engines.

Yes this is a bad bad thing.

UPDATE: Moments after posting this blog post I found a blog post about the United Nations Events page being marked as malware through SQL Injection

Learning more about SQL Injection

I’m not going to rehash all the gory details on SQL Injection but instead recommend you read the following references:

A great article on SQL Injection by Paul Litwin (he’s a programming superhero)

Neil Carpenter’s Blog articles on:  Anatomy of a SQL Injection Incident Part 1, and Part 2,  and SQL Injection a Comment.

ScottGu’s Blog: Tip/Trick: Guard Against SQL Injection Attacks

Michael Sutton’s Blog: How Prevalent are SQL Injection Vulnerabilities?

These articles all have links to other great articles and you’ll learn more than you ever wanted to know about SQL Injection

How do I know if I’m vulnerable to SQL Injection

The problem with SQL Injection is so many people out there are using scripts that they not only don’t know if they’re vulnerable but they don’t know how to fix it. So step #1 is to find out if you’re vulnerable and here’s my recommendations for that:

#1 ScanAlert.com - If you’re hosted at AppliedI.net they’ll provide you a year of quarterly scans for free and then reduced renewal. They also have a service called HackerSafe that does daily scans of your site and I highly recommend you use a service like this as they’ll really dig through your site and alert you that you’re vulnerable before it’s too late.

#2 Secunia.com - They provide a great resource cataloging vulnerable sites and providing frequent updates as new vulnerabilities are discovered. If you’re using any 3rd party applications (freeware, opensource, commercial, anything) I recommend you punch it in and take a look. For a quick reference, here’s a graphic representation of vulnerabilities in OSCommerce

And here’s one for all the Anti-Windows Hosting people.. Here’s all the vulnerabilities found in IIS6 since 2003 to today (there was one released just recently) there’s been 5 and all are either patched or workarounds provided:

Here’s the same graphic for Apache 2.0.X, there’s been 35 and looks like some are still unpatched or only partially fixed:

  From the Secunia Site you can get more information on security holes and the impact they have.  BTW, I did a quick search on advisories for SQL Injection, there were 2072 returned results. Yes, it’s a problem.

#3 Use another security scanner like Nessus, Acunetix, Elanize’s Web Security Scanner, etc.

How do I protect my site from SQL Injection?

So the big question is how do I protect my site from SQL Injection? The answer: YOU FIX YOUR CODE! The problem is not all website operators are website developers and they don’t know how to fix their site or they don’t have the resources (money, experience, etc) to fix their site. What are they to do? THEY HAVE TO FIX THEIR CODE! If you can’t fix it, I recommend you find a replacement application that’s not susceptible for SQL Injection. If you can’t find a replacement application and can’t fix your code here’s a few tips that might help but this really needs to be address at the application itself:

IIS 6 SQL Injection Sanitation ISAPI Wildcard - It’s an ISAPI filter that intercepts all requests and cleans out the dirty SQL injection code.

Port 80’s Server Defender - It protects against a lot more than just SQL injection and is billed as a Web application firewall.

A little ASP Script for cleaning inputs that you can incorporate into your application.

A little guidance from MSDN.

And numerous other resources out there for your review.

Conclusion

I don’t know why I always have a conclusion but you have to close your article somehow. In conclusion, I hope you spend some time and read a few of the articles linked to in this blog post. You’ll learn more about SQL Injection and hopefully avoid being compromised by it.

I recently blogged about my new productivity device (AKA my new toy), an AT&T Tilt.  I’ve been using a Motorola Q for years and missed the capabilities of a PDA phone (like the Tilt) versus a a smart phone (like the Q).  The Q had superior voice quality and a better overall phone experience but the Tilt has a vast number of features and functionality that make it much more than a cell phone.

Introducing TrackMe, GPS tracking software

One of these great features the Tilt has is built-in GPS receiver. When you bundle a GPS with a Windows powered device and add on top of that a 3G data network, the creative applications start to flow and one such application is called TrackMe.  TrackMe records your GPS data every few seconds and stores it in a local SQL2005 compact edition database (I should note it’s written on the .NET 3.5 Framework).  It then creates data files that are compatible with Google earth. You can take it a step further and embed GeoCodes (gps coordinates) into your photos taken with your camera and provide not only the path you took but show pictures along the way.  But wait, it gets cooler.

You can also get a special tracking script that uses PHP and MySQL and load it on your website and let TrackMe feed your information back to your server in real-time.

Seeing the results of TrackMe

This weekend I was fortunate enough to be invited to the Telefonica Second Annual Fishing Tournament which was held as part of their Leadership Conference.  The fishing tournament was made up of about 30 people spread across 5 charter boats all fishing for game fish.  I decided that I didn’t that this would be the perfect oppurtunity to use TrackMe (in case our 3 hour cruise turned into a much longer trip ala Gilligan’s Island).

What was interesting on this trip was that immediately as the boat took off everyone fired up their GPS on the smartphone of choice and started tracking the co-ordinates of where the captain was taking us to!  (it didn’t do much good though the only fish caught on this trip was the 1 little 8lb king-fish I got).

Anyway, you can see my TrackMe results here.  You’ll want to select “none” under trip and click show and it will show all my data points out of Key Biscayne. You can also see Map view and satellite view (which is the more interesting of the two)

Here’s a few cool screen shots:

Our boat was actually in the third slip at the marina there.

Here’s the path we took coming out of marina

Here’s a bird’s eye view of the entire path we took. (I stopped taking measurements when the first fish started biting)

Finally, if you click on any of the point it will give information regarding speed, etc.

Unfortunately, I didn’t take any photos on this trip but there’s always the next blog post for that

Oh one last post, Christopher Columbus might have been the first to discover the world wasn’t flat but now I too have taken a boat ride off the edge of the world (albeit the google earth world) :