Link to home
Create AccountLog in
Avatar of Slim81
Slim81Flag for United States of America

asked on

Stopping SQL Injection ASP

hey guys and gals,
I would have never thought I would be hacked, but over the last few days that has happened.  Looks like they have flooded my db with some information, hopefully not getting anything in return...

I use Dreamweaver CS3 to do the majority of my sql statements and recordset building.  I was under the assumption that because they use prepared statements (I think that is what it is called) and parameters I was fairly safe when it came to injections.

Here is my dreamweaver generated code:
<%
If (CStr(Request("MM_insert")) = "signupForm") Then
  If (Not MM_abortEdit) Then
    ' execute the insert
    Dim MM_editCmd

    Set MM_editCmd = Server.CreateObject ("ADODB.Command")
    MM_editCmd.ActiveConnection = MM_orderCaveBearAwesome_STRING
    MM_editCmd.CommandText = "INSERT INTO ordercave.ordercavecustomer (cusEmail, password, malID, profileActive, signDate) VALUES (?, ?, ?, ?, ?)" 
    MM_editCmd.Prepared = true
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param1", 201, 1, 255, Request.Form("signEmail")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param2", 201, 1, 255, Request.Form("signPw")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param3", 201, 1, 255, Request.Form("malID")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param4", 5, 1, -1, MM_IIF(Request.Form("profileActive"), Request.Form("profileActive"), null)) ' adDouble
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param5", 201, 1, 10, Request.Form("signDate")) ' adLongVarChar
    MM_editCmd.Execute
    MM_editCmd.ActiveConnection.Close

    ' append the query string to the redirect URL
    Dim MM_editRedirectUrl
    MM_editRedirectUrl = "signupPage2.asp?login=" & request.form("signEmail")
    If (Request.QueryString <> "") Then
      If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0) Then
        MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
      Else
        MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
      End If
    End If
    Response.Redirect(MM_editRedirectUrl)
  End If
End If
%>

Open in new window


It looks like they added about 150 records to my db yesterday, mostly with info like this: '));SELECT pg_sleep(3);--

How come dreamweaver's parameters didn't stop the attack?

Thanks,
Slim
Avatar of Badotz
Badotz
Flag of United States of America image

There is no validation of the parameters (from the code you provided) - they are blindly added to the SQL before execution.
I don't see you've been cracked by your description... you do have some records with data that show they tried to inject your app, but since you have bind variables, they have been used as strings and inserted as any other data would have.

If you had NOT used binds, then you would NOT see the evidence of the cracking attempts. Instead, their strings would have been taken as commands, EXECUTED, and therefore NOT recorded as data in your 150 records.

So, what evidence (if any) are you claiming proof of a supposedly successful cracking?
Avatar of Slim81

ASKER

Thanks for the info guys.

This is my first experience with being hacked, so I really don't have much to go on, other than what has transpired over the last few days.

Here is the brief history:
1) They had pointed their domain to my servers, so my site showed up live under their domain.  ** I stopped that by using:
<%
if request.ServerVariables("SERVER_NAME") = "mysite.com" or request.ServerVariables("SERVER_NAME") = "www.mysite.com" then
%>

Open in new window

And if they plan to use Iframes:
<script type="text/javascript">
<!--
  if (top.location != self.location) {
  top.location.href = "http://mysite.com" ;
  }
-->
</script>

Open in new window


2) I was sent 8,000+ emails in a few minutes time.  I have yet to stop this, I assume some type of "captcha" will stop this.

3) The 150+ entries into my db, all with info that doesn't match the system (ie: no valid email address, passwords, etc.)

I didn't know if they had gained access to the system or had even seen the contents of my db, all I know is that they have tried about 100 times.....

@Akenathon,
You say that because dreamweaver used binds, the info was just inserted and not executed?  That is nice to hear....

-Slim
Agreed with @Akenathon. Someone tried to use SQL Injection but you were saved from it.
Avatar of Slim81

ASKER

Is there any way to stop the attacks from even being tried?  or will the attackers simply get bored with the site and move on to someone else (hopefully)?

-Slim
SOLUTION
Avatar of Akenathon
Akenathon
Flag of Uruguay image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Slim81

ASKER

@Akenathon,
Thanks for the input....

I am thinking about trying to implement some type of IP restriction.  But I need to understand how they are attacking the site/page/db....

If i was to simply deny the following characters: ", ', =, <,> my data, wouldn't that stop the attack?  If either of those characters exist, then I will stop the page from loading.  I am only collecting an email address, password, and something similar to an affiliate ID, all of which don't require the above characters.

Also, is there a safe way to log someones IP address?  Would storing that information in a session variable and then starting a type of counter work?  Wouldn't the session IP be susceptible to attacks as well?

Thoughts?

Thanks,
Slim
As already mentioned, sanitize your input.  For your inserts, switch them to stored procedures with strongly-typed parameters.  Additionally, you can add some httpHandlers that will deal with all requests to remove any incoming stop words, such as insert, drop, delete, etc.  The OWASP project can provide you with great starting points to help clean up your code:

http://www.owasp.org/index.php/Category:OWASP_.NET_Project

Taking anything straight from Dreamweaver (or Visual Studio for that matter) without adding your own security is essentially asking for trouble.  A classic guide, though it's a heavy read, to secure web applications can be downloaded here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=055FF772-97FE-41B8-A58C-BF9C6593F25E&%3Bdisplaylang=en

It provides a broad level of enterprise level tactics to deal with code issues.

For more SQL specific details, review the articles here:

http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/library/ff647397.aspx
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

It may take a while to walk through all these articles and fully grasp what they are suggesting, but, once you make these essential changes to your coding culture (assuming it's not just you) secure coding will come second nature from now on for SQL Injection.
SOLUTION
Avatar of madunix
madunix

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Slim81

ASKER

Thanks to all that has supplied input to my hacking matter!