Solved

How do I prevent SQL injection hack on my Asp.Net site? (C#)

Posted on 2011-09-15
30
4,008 Views
Last Modified: 2012-05-12
I have a website that appears in multiple cities; it’s built on SQL 2005. I recently was hacked with, what I believe, was a php. script that made a SQL injection. I have not been able to figure out how to close this hole. They were able to append the following string to some of my fields in the database:

FIELDNAME <a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=15 >crack</a></title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=15 >crack</a>


Three of these fields were in the asp.net_authenticationtables.

Can someone help me figure how to prevent this hack in the future?

The site is built with Asp.net C# and the database is SQL 2005. There is a dropdown box to choose the city on all pages. The name field was one of the fields hacked. The image field on two other pages was also hacked, those pages also contain an e-mail form.

Your help would be greatly appreciated.

Thank you!
0
Comment
Question by:bmanmike39
  • 12
  • 11
  • 3
  • +3
30 Comments
 
LVL 10

Expert Comment

by:pramodsk40
Comment Utility
Make sure you have <pages validateRequest="true" ... /> in your web.config.

There are other ways to prevent SQL injection...you can read them...

http://msdn.microsoft.com/en-us/library/ff647397.aspx
0
 
LVL 39

Expert Comment

by:lcohan
Comment Utility
Here are two links with (one of the best from my point of view) detailed info about PHP SQL injection and how to prevent it but simply put - your code must use at the most parametrized queries if it's not possible to convert it all to database code objects - functions, stored procedures, views, etc. :

http://php.net/manual/en/security.database.sql-injection.php
http://www.learnphponline.com/security/sql-injection-prevention-mysql-php
0
 
LVL 38

Expert Comment

by:Tom Beck
Comment Utility
One avenue of SQL injection attack is through query strings in the URLs. Always parse your query strings and reject any values with a greater number of characters than expected (or other expected patterns). For example, if your url query string looks like this: http://www.mydomain.com/folder/page.aspx?id=1234
Parse the url string to make sure the id value is never longer than four characters (or whatever). This worked for me after hackers emptied my database using the query string SQL injection method. Fortunately, the site was new and there wasn't much in the database.
0
 
LVL 4

Expert Comment

by:guramrit
Comment Utility
Always use parametrized queries. Sql injection is impossible if you use parametrized queries.
check also http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx
0
 
LVL 38

Expert Comment

by:Tom Beck
Comment Utility
>>Sql injection is impossible if you use parametrized queries.

NOT true.

Parametrized queries do not prevent SQL injection for this type of attack:

http://www.imperva.com/resources/glossary/sql_injection.html

This article explains why:

http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

I used parametrized queries on my website and tables were removed from my database by a hacker using the url string to inject a DROP TABLE command.
0
 
LVL 4

Expert Comment

by:guramrit
Comment Utility
But the idea of using parameterized queries or stored procedures is to avoid dynamic sql. Dont ever use dynamic sql either in code or in stored procedure. These are vulnerable against SQL injection. If you have to use dynamic sql in any case then perform strong validation.

    If you use strongly typed sql in code or in stored procedure (i.e without using EXECUTE or sp_executesql) then there is no way that SQL injection can happen because sql statment cannot be manipulated.
0
 

Author Comment

by:bmanmike39
Comment Utility
still now working, got attacked again.

0
 
LVL 4

Expert Comment

by:guramrit
Comment Utility
Are you able to identify the source and cause of attack. If you're sure that it is because of SQL injection then post attacked code and that'll help us.
0
 

Author Comment

by:bmanmike39
Comment Utility
All of the pages are from the database and you can see in the db what was injected.  on one of the pages i have ytube embeded videos  I go a warning from my browser virus protecton that says:  scripting injection (1904)
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
IIS logs to see what's comming in?

"The name field was one of the fields hacked"
Obvious a numeric value limits the possibility to pass code.  You can prevent strings to be passed containing dangerous characters like '=' ';' or quotes itself. Then even dynamic sql becomes a little safer.

Prevent the account (not SAoff your web-application to do DDL-statements. A normal application does not need to add columns, drop or create tables ..... .
0
 

Author Comment

by:bmanmike39
Comment Utility
Please explain this.  I don't understand "Prevent the account (not SAoff your web-application to do"

Thx!
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
I hope your web-app thoes not use the SA-user to connect to db. The account it uses to connect to database should have limited access, this is reading and writing into tables (DML data modification language) but not dropping tables, creating tables, add columns to tables .... (DDL: data definition language)
http://msdn.microsoft.com/en-us/library/ms191291(SQL.100).aspx
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
But mind if you prevent DDL, it does not stop SQL-injection. Deleting rows still will be possible as your application will need that for it's working (it think).

Any dynamic sql must be reviewed that no data can be passed that can be a new sql statement on itself or extends a query.  (id = 1  what you intend that becomes id = 1 OR 1=1)....
Best never dynamic sql but where necessary limit the chances that input will contain data that is not allowed.

For example your e-mail form. That will contain a large text-field that is perfect for passing sql-commands.
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
We do not have response on what you checked or if you changed anything at all. Maybe this will be a link that give an overview of the things to do.
http://www.mssqltips.com/sqlservertip/1559/recover-from-a-sql-injection-attack-on-sql-server/
0
 

Author Comment

by:bmanmike39
Comment Utility
still trying the suggestion will get back to you
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:bmanmike39
Comment Utility
Can i shorten the values number for the membership provider tables in my database with out damaging the db?
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
Which values?  But seems another topic to me.
0
 

Author Comment

by:bmanmike39
Comment Utility
the length of the varchars in the authentication table like for the username
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
The standard won't prevent entering longer names so you  could run into sql-errors that are not giving a good message to the user.
Do you think the sql injection happens trough your membership provider tables? I think that is handled there.
0
 

Author Comment

by:bmanmike39
Comment Utility
my provider tables have the string starting with <title in them because of the addition space.
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
So you want a to customize your membership provider , take a look at http://www.asp.net/general/videos/how-do-i-create-a-custom-membership-provider.

More important than the length is what characters are allowed and what you do with it. Whithout ' " ; < = > it's a lot harder to use sql-injection.  And avoiding the use of dynamic sql will prevent the bad strings to be activated as a sql command.  
0
 

Author Comment

by:bmanmike39
Comment Utility
No,  i want to change the datatype length in the userName field from the default of nvarchar(256) to nvarchar(15)  with out breaking the membership system.  All the members in the system are under 15 characters  
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
Sql injection was thet topic wasn't it?
0
 

Author Comment

by:bmanmike39
Comment Utility
Yes, and what to do to stop it in this circumstance.  The only field getting hack are the asp.net tables
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
You are getting hacked and they use tables they suppose there are there while you use the membership authentication, so anyone knows their names.

And I did answer your membership question (which is for me another question):
- you have to limit the size of the input boxes (do you have a password-question?)
- you must see/test that nothing off the used code can crash uncontroled because you change the tables-specs and if that's not possible you must custumize the membership-solution

Did you see in the iis-logs how you are getting hacked? Do you have proof or are you just limiting all the fields that are possible? Do you use dynamic SQL.... or how do you open your database? User roles to limit sql-actions?

So I see I'm still asking same questions and did not have any response on those. I guess I (and others) gave enough answer on 'how to prevent' and what to check.

A last thing suggestion you can have from me:
- sql triggers or selfmade logging in your stored procedures can also help in
- sql trace will slow down and only will give result when you trace at the moment of the attack, so only if you're attacked frequently






0
 

Author Comment

by:bmanmike39
Comment Utility
I view and attempted to do all that was suggested.  the attacks seems to be direct Though the url because the script being run on the against the site is no longer working against the table i restricted. I am just concerned about breaking the membership system if i restrict the number of character, in the asp.net tables

Also all of the input boxes on the front side of the site have been restricted, again except for the asp login control.  They have not been able to set up an account because the site does not have a join or membership form.  All accounts are added manually.

I connect to the db though a connection string local using windows authentication.

I'm trying the iis logs but what am i looking for?  

one line:
2011-10-20 23:53:11 80.86.166.402 GET /SIT NAME/WebResource.axd d=7YXovajRygwSNfqRjERoPVZIqoDpO7vDAoMZKFYRTWD9DHXbO3FblUMhY0iH9f0pmoM69o4oRp9OAU9NR0dFGk3PUUM1&t=634540719545726250 80 - 99.123.142.155 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.1;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+.NET4.0C) 200 0 0
0
 
LVL 25

Accepted Solution

by:
jogos earned 500 total points
Comment Utility
Log
In log you can find the url-parameters the are passed so  normaly it should be something like
  USERID=12345  
but it's wrong when it's  showing like
   userid = 12345 or 1=1    
this is only pulling to much data because off the always true-condition
It gets more obvious when not only values are passed but real sql commands (DML or DDL)
    userid =12345;drop table users
=> it's obvious that this isn't so healty
=> any sql keyword in a url-parmeter: select, alter, drop , exec , insert, update, declare,...

On this link you find an example look for example after the 'Good luck'
http://stackoverflow.com/questions/3772793/has-anyone-found-out-how-this-was-done-sql-injection

SQL-Security
I read "against the table i restricted.".  It sounds to me as 'the broke in by the kitchen window, so I blocked the kitchen window but I left other windows as they were'.
I hope you restricted more than that.  The sql-login should only have the explicit security that is needed. They have altered one of your tables -> this couldn't happen if they don't have any right to create or alter a table.
 

Membership
You can alter, but as I earlier said 'test, test' and if problem you have to customize
What will help you to limit the column-size?
Are you sure it's not one of your accounts who is 'playing arround'?

It's not necessary to be logged in. If in the account-field they can add more characters or they can fabric the url themselves something like
 login.aspx?uid=12345andmysqlhackcodehere
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
'I connect to the db though a connection string local using windows authentication.'

Windows authentication, and which user may that be (but don't answer this in public)? A specific windows user for your website? No, then it is better to make a specific sql login for your application and restrict it's permissions to the minimum
http://www.dnzone.com/go?503
0
 
LVL 25

Expert Comment

by:jogos
Comment Utility
And for you I put your heading and your the only deal of your iislog together

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2011-10-20 23:53:11 80.86.166.402 GET /SIT NAME/WebResource.axd d=7YXovajRygwSNfqRjERoPVZIqoDpO7vDAoMZKFYRTWD9DHXbO3FblUMhY0iH9f0pmoM69o4oRp9OAU9NR0dFGk3PUUM1&t=634540719545726250 80 - 99.123.142.155 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.1;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+.NET4.0C) 200 0 0

0
 

Author Closing Comment

by:bmanmike39
Comment Utility
Thanks for the help.  I just have to look into it more
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now