Slim81
asked on
Stopping SQL Injection ASP
hey guys and gals,
I would have never thought I would be hacked, but over the last few days that has happened. Looks like they have flooded my db with some information, hopefully not getting anything in return...
I use Dreamweaver CS3 to do the majority of my sql statements and recordset building. I was under the assumption that because they use prepared statements (I think that is what it is called) and parameters I was fairly safe when it came to injections.
Here is my dreamweaver generated code:
It looks like they added about 150 records to my db yesterday, mostly with info like this: '));SELECT pg_sleep(3);--
How come dreamweaver's parameters didn't stop the attack?
Thanks,
Slim
I would have never thought I would be hacked, but over the last few days that has happened. Looks like they have flooded my db with some information, hopefully not getting anything in return...
I use Dreamweaver CS3 to do the majority of my sql statements and recordset building. I was under the assumption that because they use prepared statements (I think that is what it is called) and parameters I was fairly safe when it came to injections.
Here is my dreamweaver generated code:
<%
If (CStr(Request("MM_insert")) = "signupForm") Then
If (Not MM_abortEdit) Then
' execute the insert
Dim MM_editCmd
Set MM_editCmd = Server.CreateObject ("ADODB.Command")
MM_editCmd.ActiveConnection = MM_orderCaveBearAwesome_STRING
MM_editCmd.CommandText = "INSERT INTO ordercave.ordercavecustomer (cusEmail, password, malID, profileActive, signDate) VALUES (?, ?, ?, ?, ?)"
MM_editCmd.Prepared = true
MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param1", 201, 1, 255, Request.Form("signEmail")) ' adLongVarChar
MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param2", 201, 1, 255, Request.Form("signPw")) ' adLongVarChar
MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param3", 201, 1, 255, Request.Form("malID")) ' adLongVarChar
MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param4", 5, 1, -1, MM_IIF(Request.Form("profileActive"), Request.Form("profileActive"), null)) ' adDouble
MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param5", 201, 1, 10, Request.Form("signDate")) ' adLongVarChar
MM_editCmd.Execute
MM_editCmd.ActiveConnection.Close
' append the query string to the redirect URL
Dim MM_editRedirectUrl
MM_editRedirectUrl = "signupPage2.asp?login=" & request.form("signEmail")
If (Request.QueryString <> "") Then
If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0) Then
MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
Else
MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
End If
End If
Response.Redirect(MM_editRedirectUrl)
End If
End If
%>
It looks like they added about 150 records to my db yesterday, mostly with info like this: '));SELECT pg_sleep(3);--
How come dreamweaver's parameters didn't stop the attack?
Thanks,
Slim
There is no validation of the parameters (from the code you provided) - they are blindly added to the SQL before execution.
I don't see you've been cracked by your description... you do have some records with data that show they tried to inject your app, but since you have bind variables, they have been used as strings and inserted as any other data would have.
If you had NOT used binds, then you would NOT see the evidence of the cracking attempts. Instead, their strings would have been taken as commands, EXECUTED, and therefore NOT recorded as data in your 150 records.
So, what evidence (if any) are you claiming proof of a supposedly successful cracking?
If you had NOT used binds, then you would NOT see the evidence of the cracking attempts. Instead, their strings would have been taken as commands, EXECUTED, and therefore NOT recorded as data in your 150 records.
So, what evidence (if any) are you claiming proof of a supposedly successful cracking?
ASKER
Thanks for the info guys.
This is my first experience with being hacked, so I really don't have much to go on, other than what has transpired over the last few days.
Here is the brief history:
1) They had pointed their domain to my servers, so my site showed up live under their domain. ** I stopped that by using:
2) I was sent 8,000+ emails in a few minutes time. I have yet to stop this, I assume some type of "captcha" will stop this.
3) The 150+ entries into my db, all with info that doesn't match the system (ie: no valid email address, passwords, etc.)
I didn't know if they had gained access to the system or had even seen the contents of my db, all I know is that they have tried about 100 times.....
@Akenathon,
You say that because dreamweaver used binds, the info was just inserted and not executed? That is nice to hear....
-Slim
This is my first experience with being hacked, so I really don't have much to go on, other than what has transpired over the last few days.
Here is the brief history:
1) They had pointed their domain to my servers, so my site showed up live under their domain. ** I stopped that by using:
<%
if request.ServerVariables("SERVER_NAME") = "mysite.com" or request.ServerVariables("SERVER_NAME") = "www.mysite.com" then
%>
And if they plan to use Iframes:<script type="text/javascript">
<!--
if (top.location != self.location) {
top.location.href = "http://mysite.com" ;
}
-->
</script>
2) I was sent 8,000+ emails in a few minutes time. I have yet to stop this, I assume some type of "captcha" will stop this.
3) The 150+ entries into my db, all with info that doesn't match the system (ie: no valid email address, passwords, etc.)
I didn't know if they had gained access to the system or had even seen the contents of my db, all I know is that they have tried about 100 times.....
@Akenathon,
You say that because dreamweaver used binds, the info was just inserted and not executed? That is nice to hear....
-Slim
Agreed with @Akenathon. Someone tried to use SQL Injection but you were saved from it.
ASKER
Is there any way to stop the attacks from even being tried? or will the attackers simply get bored with the site and move on to someone else (hopefully)?
-Slim
-Slim
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
@Akenathon,
Thanks for the input....
I am thinking about trying to implement some type of IP restriction. But I need to understand how they are attacking the site/page/db....
If i was to simply deny the following characters: ", ', =, <,> my data, wouldn't that stop the attack? If either of those characters exist, then I will stop the page from loading. I am only collecting an email address, password, and something similar to an affiliate ID, all of which don't require the above characters.
Also, is there a safe way to log someones IP address? Would storing that information in a session variable and then starting a type of counter work? Wouldn't the session IP be susceptible to attacks as well?
Thoughts?
Thanks,
Slim
Thanks for the input....
I am thinking about trying to implement some type of IP restriction. But I need to understand how they are attacking the site/page/db....
If i was to simply deny the following characters: ", ', =, <,> my data, wouldn't that stop the attack? If either of those characters exist, then I will stop the page from loading. I am only collecting an email address, password, and something similar to an affiliate ID, all of which don't require the above characters.
Also, is there a safe way to log someones IP address? Would storing that information in a session variable and then starting a type of counter work? Wouldn't the session IP be susceptible to attacks as well?
Thoughts?
Thanks,
Slim
As already mentioned, sanitize your input. For your inserts, switch them to stored procedures with strongly-typed parameters. Additionally, you can add some httpHandlers that will deal with all requests to remove any incoming stop words, such as insert, drop, delete, etc. The OWASP project can provide you with great starting points to help clean up your code:
http://www.owasp.org/index.php/Category:OWASP_.NET_Project
Taking anything straight from Dreamweaver (or Visual Studio for that matter) without adding your own security is essentially asking for trouble. A classic guide, though it's a heavy read, to secure web applications can be downloaded here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=055FF772-97FE-41B8-A58C-BF9C6593F25E&%3Bdisplaylang=en
It provides a broad level of enterprise level tactics to deal with code issues.
For more SQL specific details, review the articles here:
http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/library/ff647397.aspx
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
It may take a while to walk through all these articles and fully grasp what they are suggesting, but, once you make these essential changes to your coding culture (assuming it's not just you) secure coding will come second nature from now on for SQL Injection.
http://www.owasp.org/index.php/Category:OWASP_.NET_Project
Taking anything straight from Dreamweaver (or Visual Studio for that matter) without adding your own security is essentially asking for trouble. A classic guide, though it's a heavy read, to secure web applications can be downloaded here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=055FF772-97FE-41B8-A58C-BF9C6593F25E&%3Bdisplaylang=en
It provides a broad level of enterprise level tactics to deal with code issues.
For more SQL specific details, review the articles here:
http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/library/ff647397.aspx
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
It may take a while to walk through all these articles and fully grasp what they are suggesting, but, once you make these essential changes to your coding culture (assuming it's not just you) secure coding will come second nature from now on for SQL Injection.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks to all that has supplied input to my hacking matter!