Windows Web Hosting, Web Technologies, etc
Posts tagged sql injection
SQL Injection Help .. Microsoft to the rescue with URLScan 3.0.
Jun 26th
The number of SQL Injection attacks across the Internet continue to rise. I’m seeing regular posting on the SANS RSS feed related to SQL Injection and XSS these days and clients are finding that applications they thought were not vulnerable turn out to be vulnerable because of patches and custom mods they’ve had made to them. For most site owners this meant going back to the developers and getting updates and this is generally costly and time consuming. Fortunately, Microsoft has stepped up to the plate and brought us a little relief in the form of URLScan 3.0 beta/go-live release.
Here’s a few links to get you to good stuff and hopefully save the day:
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/advisory/954462.mspx
Link to download HP’s custom SQL injection scanner and how to use it. They created this for Microsoft to help you identify possible vulnerabilities in your site.
A source code analysis application that can help identify vulnerable code in your application.
UrlScan 3.0 Beta. I’m generally opposed to installing beta software on a production webserver but I think if you’re getting hammered, it’s probably better to just bite the bullet and do it. As you probably know UrlScan was for the most part built into IIS 6 but it doesn’t have querystring filtering, this build does and it works with IIS5.1 and later including our beloved IIS 7.0. Kudos to the IIS Team!
Word of caution
Word of caution, I’ve installed this for a few people and a couple times it wouldn’t load after the initial install (Beta software). My fix for this was to install the ISAPI filter directly on the website in question. I used Filemon to watch for when it triggered and referenced the log files to tweak out false positives from there. Each site is unique so you’ll need to tweak your settings accordingly.
Another useful tool
LogParser is another great tool for reviewing your server logs and searching for information such as hack attempts. Steve Schofield has a nice write up about using LogParser and URLScan.
A few FAQ’s on this subject:
Q: Is it Microsoft’s fault and if not then who’s fault is it?
A: It’s yours and your developer’s fault. As hackers evolve so much our techniques to combat them. Coding methods and ways to access SQL server have changed over the years as a result of this and if you haven’t had your site updated, then it’s your fault.
Q: I just moved my website to a new server and I’m getting hacked now and I wasn’t before. It’s the new server right?
A: No. This is a new type of worm if you will that affecting websites the fact that you changed hosts, websites or applications probably doesn’t have anything to do with it at all. This really started to become a huge problem around late April of this year and we’ve watched it grow into a bigger problem since then.
Q: Is URLScan the answer to my prayers?
A: Consider it a stopgap you’ll be able to employ until you’ve had your web applications updated. You really need to get your application secured.
Q: I haven’t been attacked, how do I know if I’m vulnerable?
A: Use the two tools above and also you might want to hire a service to do website security scans. If you’re hosted with Applied Innovations you can you get free quarterly security scans from scanalert.com.
Q: What kinds of applications are vulnerable? Is it just shopping carts?
A: Every application that accesses a database server of any kind is potentially vulnerable.
Q: My website is written in XXXX language and it’s supposed to be very secure, am I vulnerable?
A: Potentially, YES! Any web application that uses a database can be vulnerable.
SQL Injection attacks continue, Is it Microsoft’s Fault?
Apr 28th
My previous blog post attempted to explain SQL injection and why it’s a problem. It’s started to get media coverage now and the media is looking for a target (scapegoat). So as is often the case, someone gets wrongly blamed and right now it’s of course Microsoft.
It’s NOT Microsoft’s fault.
Here’s what’s happening, recently Microsoft announced a couple new vulnerabilities and one of these was for IIS. At the same time there’s a barrage of SQL Injection attacks being carried out and the natural assumption is “OH IT’S THOSE NEW VULNERABILITIES IN MICROSOFT”. I guess they’ll never live down sasser and nimbda. So I’m sorry, but it’s not Microsoft’s fault, it’s your code, fix your code.
Then Who’s fault is it?
It’s yours. You loaded unsafe code on your website and you didn’t fix it. Just restoring a backup of your database is not going to fix it, you’re still vulnerable.
Bill Staples has a blog posting about SQL Injection and references some good resources on his blog and also lays to rest the misconception that this is Microsoft’s fault.
Patrick S also has a great a great blog article on the current attacks on his blog at msblog.org that shows the decoded SQL code posted to sites and states that there are now 510,000 modified pages in Google as part of this same outbreak that all link back to 3 common sites. Unfortunately, he points out that it’s part of this IIS vulnerability when it’s not.
Here’s another nice blog post (although it’s SQL Injection, not a SQL Infection) that talks about this current outbreak and references Jeremiah Grossman, CTO of WhiteHat Security who was the individual that pointed out to me last year that every website is vulnerable in some fashion.
Finally, Bill Sisk also putting the whole thing to rest that it’s not Microsoft’s fault.
At any rate, this is a pretty nasty outbreak and I’d recommend you hit some of the resources linked to in my earlier SQL Injection post….
