Solved

Stopping SQL Injection ASP

Posted on 2010-11-15
11
690 Views
Last Modified: 2012-05-10
hey guys and gals,
I would have never thought I would be hacked, but over the last few days that has happened.  Looks like they have flooded my db with some information, hopefully not getting anything in return...

I use Dreamweaver CS3 to do the majority of my sql statements and recordset building.  I was under the assumption that because they use prepared statements (I think that is what it is called) and parameters I was fairly safe when it came to injections.

Here is my dreamweaver generated code:
<%
If (CStr(Request("MM_insert")) = "signupForm") Then
  If (Not MM_abortEdit) Then
    ' execute the insert
    Dim MM_editCmd

    Set MM_editCmd = Server.CreateObject ("ADODB.Command")
    MM_editCmd.ActiveConnection = MM_orderCaveBearAwesome_STRING
    MM_editCmd.CommandText = "INSERT INTO ordercave.ordercavecustomer (cusEmail, password, malID, profileActive, signDate) VALUES (?, ?, ?, ?, ?)" 
    MM_editCmd.Prepared = true
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param1", 201, 1, 255, Request.Form("signEmail")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param2", 201, 1, 255, Request.Form("signPw")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param3", 201, 1, 255, Request.Form("malID")) ' adLongVarChar
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param4", 5, 1, -1, MM_IIF(Request.Form("profileActive"), Request.Form("profileActive"), null)) ' adDouble
    MM_editCmd.Parameters.Append MM_editCmd.CreateParameter("param5", 201, 1, 10, Request.Form("signDate")) ' adLongVarChar
    MM_editCmd.Execute
    MM_editCmd.ActiveConnection.Close

    ' append the query string to the redirect URL
    Dim MM_editRedirectUrl
    MM_editRedirectUrl = "signupPage2.asp?login=" & request.form("signEmail")
    If (Request.QueryString <> "") Then
      If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0) Then
        MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
      Else
        MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
      End If
    End If
    Response.Redirect(MM_editRedirectUrl)
  End If
End If
%>

Open in new window


It looks like they added about 150 records to my db yesterday, mostly with info like this: '));SELECT pg_sleep(3);--

How come dreamweaver's parameters didn't stop the attack?

Thanks,
Slim
0
Comment
Question by:Slim81
11 Comments
 
LVL 29

Expert Comment

by:Badotz
Comment Utility
There is no validation of the parameters (from the code you provided) - they are blindly added to the SQL before execution.
0
 
LVL 11

Expert Comment

by:Akenathon
Comment Utility
I don't see you've been cracked by your description... you do have some records with data that show they tried to inject your app, but since you have bind variables, they have been used as strings and inserted as any other data would have.

If you had NOT used binds, then you would NOT see the evidence of the cracking attempts. Instead, their strings would have been taken as commands, EXECUTED, and therefore NOT recorded as data in your 150 records.

So, what evidence (if any) are you claiming proof of a supposedly successful cracking?
0
 
LVL 4

Author Comment

by:Slim81
Comment Utility
Thanks for the info guys.

This is my first experience with being hacked, so I really don't have much to go on, other than what has transpired over the last few days.

Here is the brief history:
1) They had pointed their domain to my servers, so my site showed up live under their domain.  ** I stopped that by using:
<%
if request.ServerVariables("SERVER_NAME") = "mysite.com" or request.ServerVariables("SERVER_NAME") = "www.mysite.com" then
%>

Open in new window

And if they plan to use Iframes:
<script type="text/javascript">
<!--
  if (top.location != self.location) {
  top.location.href = "http://mysite.com" ;
  }
-->
</script>

Open in new window


2) I was sent 8,000+ emails in a few minutes time.  I have yet to stop this, I assume some type of "captcha" will stop this.

3) The 150+ entries into my db, all with info that doesn't match the system (ie: no valid email address, passwords, etc.)

I didn't know if they had gained access to the system or had even seen the contents of my db, all I know is that they have tried about 100 times.....

@Akenathon,
You say that because dreamweaver used binds, the info was just inserted and not executed?  That is nice to hear....

-Slim
0
 
LVL 13

Expert Comment

by:devlab2012
Comment Utility
Agreed with @Akenathon. Someone tried to use SQL Injection but you were saved from it.
0
 
LVL 4

Author Comment

by:Slim81
Comment Utility
Is there any way to stop the attacks from even being tried?  or will the attackers simply get bored with the site and move on to someone else (hopefully)?

-Slim
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Assisted Solution

by:Akenathon
Akenathon earned 450 total points
Comment Utility
Yes, I'm saying your DB has not been compromised by THAT portion of code (which does not imply that you are safe... 99% safe is 100% exposed so check the rest of your code!!).

You cannot keep them from trying... but you can get them bored more quickly, e.g.:

- To reduce the emails, do use captchas, or registration/membership with verified email addresses before they can send you anything.
- To reduce rubbish in your database, you can sanitize your inputs, e.g. look for quotes in the parameters and cancel the transaction. You can just show an error, or see next item...
- To temporarily avoid being attacked repeatedly, whenever you detect various cracking attempts in a row from the same IP, ban the originating IP for say 15 minutes. Google for IPS (Intrusion Prevention System) for automated solutions -they detect attacks, prevent them from reaching your server, ban the IPs... everything! :-)

You'll never be safe if they use 100s of different IPs... but that's unlikely because of the resources needed, and anyway even the biggest sites cannot resist a DDOS (Distributed Denial Of Service), so your boss cannot complain if you get one of those. He should be proud that somebody actually takes that much interest in his website! :D
0
 
LVL 4

Author Comment

by:Slim81
Comment Utility
@Akenathon,
Thanks for the input....

I am thinking about trying to implement some type of IP restriction.  But I need to understand how they are attacking the site/page/db....

If i was to simply deny the following characters: ", ', =, <,> my data, wouldn't that stop the attack?  If either of those characters exist, then I will stop the page from loading.  I am only collecting an email address, password, and something similar to an affiliate ID, all of which don't require the above characters.

Also, is there a safe way to log someones IP address?  Would storing that information in a session variable and then starting a type of counter work?  Wouldn't the session IP be susceptible to attacks as well?

Thoughts?

Thanks,
Slim
0
 
LVL 10

Expert Comment

by:wls3
Comment Utility
As already mentioned, sanitize your input.  For your inserts, switch them to stored procedures with strongly-typed parameters.  Additionally, you can add some httpHandlers that will deal with all requests to remove any incoming stop words, such as insert, drop, delete, etc.  The OWASP project can provide you with great starting points to help clean up your code:

http://www.owasp.org/index.php/Category:OWASP_.NET_Project

Taking anything straight from Dreamweaver (or Visual Studio for that matter) without adding your own security is essentially asking for trouble.  A classic guide, though it's a heavy read, to secure web applications can be downloaded here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=055FF772-97FE-41B8-A58C-BF9C6593F25E&amp%3Bdisplaylang=en

It provides a broad level of enterprise level tactics to deal with code issues.

For more SQL specific details, review the articles here:

http://msdn.microsoft.com/en-us/library/ff648339.aspx
http://msdn.microsoft.com/en-us/library/ff647397.aspx
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

It may take a while to walk through all these articles and fully grasp what they are suggesting, but, once you make these essential changes to your coding culture (assuming it's not just you) secure coding will come second nature from now on for SQL Injection.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 50 total points
Comment Utility
sql injection is top rated web Application attack these days. There are many insecure code over the net and also there are several ways to protect ASP.NET application from sql injection attacks. sql injection can occur when an application uses input to construct dynamic sql statements or when it uses stored procedures to connect to the database. Methods of sql injection exploitation are classified according to the DBMS type and exploitation conditions  Vulnerable request can implement Insert, update, delete. It is possible to inject sql code into any part of sql request Blind sql injection Features of sql implementations used in various dbms. Successful sql injection attacks enable attackers to execute commands in an application's database and also take over the server.

my recommendation:
- Basically, make sure your web server is up-to-date with latest security fixes/patches.
- Make sure you have filter every user input and output as proper encoding like UTF-8.
Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
- try tom imlement web application scanner , check this link http://trac.ush.it/ush/wiki/SecurityTools
- i use ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/  to scan all my web application, also use Backtrack + Meta for vulnerability, Nessus (Linux if you can) http://www.nessus.org/nessus/ , Nikto (Linux) http://www.cirt.net/nikto2, MBSA (discutable) http://technet.microsoft.com/en-us/security/cc184923.aspx

Here is the site's newsletter "Security Database Tools Watch"
(http://www.security-database.com/toolswatch).
This letter summarizes the articles and news items published since 7 days.

check google more how to protect against sql injection
regarding Microsoft issue check http://msdn.microsoft.com/en-us/library/ms998271.aspx
search http://www.sans.org/  "sql injection"
WASC: http://projects.webappsec.org/SQL-Injection
OWASP: http://www.owasp.org/index.php/SQL_Injection
CodeProject http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
Hakin9: http://hakin9.org/article-html/9355-sql-injection-attacks-tutorial
0
 
LVL 11

Accepted Solution

by:
Akenathon earned 450 total points
Comment Utility
@Slim81: I see you've been provided with more than enough (good) reading material for the next year, so I'll focus on your specific thoughts:

1) Sanitizing is NOT blacklisting: if you just ban a bunch of characters and accept everything else by default, you never know if you are still leaving out some awkward combination. Maybe not today, but who knows what's possible in the next DBMS version? That's why you should consider whitelisting: REJECT BY DEFAULT, just as you do when you're configuring any kind of firewall, and only allow properly formed input to enter your precious database. So, use e.g. regular expresions for names, emails, etc. and trash everything else which does not look as it should. Blacklisting is also called "known BAD", and is NOT recommended. Whitelisting is the way to go, AKA "known good". Pattern matching is a way of doing either.

2) It's great that you ban the IPs on the app itself, but nowadays you still need an IPS just as much as you need a firewall and an antivirus. The only way to know whether any of your ideas it works or not is to try and see if it can be cracked easily. You can hire an ethical hacker for that, but yes... session IP piggybacking and IP spoofing are some of the approaches to bypass banning. Nothing is 100% sure if it needs to work!
0
 
LVL 4

Author Closing Comment

by:Slim81
Comment Utility
Thanks to all that has supplied input to my hacking matter!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now