Solved

How do I prevent SQL injection hack on my Asp.Net site? (C#)

Posted on 2011-09-15
30
4,163 Views
Last Modified: 2012-05-12
I have a website that appears in multiple cities; it’s built on SQL 2005. I recently was hacked with, what I believe, was a php. script that made a SQL injection. I have not been able to figure out how to close this hole. They were able to append the following string to some of my fields in the database:

FIELDNAME <a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=15 >crack</a></title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=15 >crack</a>


Three of these fields were in the asp.net_authenticationtables.

Can someone help me figure how to prevent this hack in the future?

The site is built with Asp.net C# and the database is SQL 2005. There is a dropdown box to choose the city on all pages. The name field was one of the fields hacked. The image field on two other pages was also hacked, those pages also contain an e-mail form.

Your help would be greatly appreciated.

Thank you!
0
Comment
Question by:bmanmike39
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 11
  • 3
  • +3
30 Comments
 
LVL 10

Expert Comment

by:pramodsk40
ID: 36545612
Make sure you have <pages validateRequest="true" ... /> in your web.config.

There are other ways to prevent SQL injection...you can read them...

http://msdn.microsoft.com/en-us/library/ff647397.aspx
0
 
LVL 40

Expert Comment

by:lcohan
ID: 36545625
Here are two links with (one of the best from my point of view) detailed info about PHP SQL injection and how to prevent it but simply put - your code must use at the most parametrized queries if it's not possible to convert it all to database code objects - functions, stored procedures, views, etc. :

http://php.net/manual/en/security.database.sql-injection.php
http://www.learnphponline.com/security/sql-injection-prevention-mysql-php
0
 
LVL 38

Expert Comment

by:Tom Beck
ID: 36545658
One avenue of SQL injection attack is through query strings in the URLs. Always parse your query strings and reject any values with a greater number of characters than expected (or other expected patterns). For example, if your url query string looks like this: http://www.mydomain.com/folder/page.aspx?id=1234
Parse the url string to make sure the id value is never longer than four characters (or whatever). This worked for me after hackers emptied my database using the query string SQL injection method. Fortunately, the site was new and there wasn't much in the database.
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 4

Expert Comment

by:guramrit
ID: 36547606
Always use parametrized queries. Sql injection is impossible if you use parametrized queries.
check also http://blogs.msdn.com/b/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx
0
 
LVL 38

Expert Comment

by:Tom Beck
ID: 36548563
>>Sql injection is impossible if you use parametrized queries.

NOT true.

Parametrized queries do not prevent SQL injection for this type of attack:

http://www.imperva.com/resources/glossary/sql_injection.html

This article explains why:

http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

I used parametrized queries on my website and tables were removed from my database by a hacker using the url string to inject a DROP TABLE command.
0
 
LVL 4

Expert Comment

by:guramrit
ID: 36548618
But the idea of using parameterized queries or stored procedures is to avoid dynamic sql. Dont ever use dynamic sql either in code or in stored procedure. These are vulnerable against SQL injection. If you have to use dynamic sql in any case then perform strong validation.

    If you use strongly typed sql in code or in stored procedure (i.e without using EXECUTE or sp_executesql) then there is no way that SQL injection can happen because sql statment cannot be manipulated.
0
 

Author Comment

by:bmanmike39
ID: 36596313
still now working, got attacked again.

0
 
LVL 4

Expert Comment

by:guramrit
ID: 36597349
Are you able to identify the source and cause of attack. If you're sure that it is because of SQL injection then post attacked code and that'll help us.
0
 

Author Comment

by:bmanmike39
ID: 36816140
All of the pages are from the database and you can see in the db what was injected.  on one of the pages i have ytube embeded videos  I go a warning from my browser virus protecton that says:  scripting injection (1904)
0
 
LVL 25

Expert Comment

by:jogos
ID: 36918492
IIS logs to see what's comming in?

"The name field was one of the fields hacked"
Obvious a numeric value limits the possibility to pass code.  You can prevent strings to be passed containing dangerous characters like '=' ';' or quotes itself. Then even dynamic sql becomes a little safer.

Prevent the account (not SAoff your web-application to do DDL-statements. A normal application does not need to add columns, drop or create tables ..... .
0
 

Author Comment

by:bmanmike39
ID: 36942685
Please explain this.  I don't understand "Prevent the account (not SAoff your web-application to do"

Thx!
0
 
LVL 25

Expert Comment

by:jogos
ID: 36942829
I hope your web-app thoes not use the SA-user to connect to db. The account it uses to connect to database should have limited access, this is reading and writing into tables (DML data modification language) but not dropping tables, creating tables, add columns to tables .... (DDL: data definition language)
http://msdn.microsoft.com/en-us/library/ms191291(SQL.100).aspx
0
 
LVL 25

Expert Comment

by:jogos
ID: 36942944
But mind if you prevent DDL, it does not stop SQL-injection. Deleting rows still will be possible as your application will need that for it's working (it think).

Any dynamic sql must be reviewed that no data can be passed that can be a new sql statement on itself or extends a query.  (id = 1  what you intend that becomes id = 1 OR 1=1)....
Best never dynamic sql but where necessary limit the chances that input will contain data that is not allowed.

For example your e-mail form. That will contain a large text-field that is perfect for passing sql-commands.
0
 
LVL 25

Expert Comment

by:jogos
ID: 36943327
We do not have response on what you checked or if you changed anything at all. Maybe this will be a link that give an overview of the things to do.
http://www.mssqltips.com/sqlservertip/1559/recover-from-a-sql-injection-attack-on-sql-server/
0
 

Author Comment

by:bmanmike39
ID: 36963971
still trying the suggestion will get back to you
0
 

Author Comment

by:bmanmike39
ID: 36996083
Can i shorten the values number for the membership provider tables in my database with out damaging the db?
0
 
LVL 25

Expert Comment

by:jogos
ID: 36998038
Which values?  But seems another topic to me.
0
 

Author Comment

by:bmanmike39
ID: 37015433
the length of the varchars in the authentication table like for the username
0
 
LVL 25

Expert Comment

by:jogos
ID: 37016224
The standard won't prevent entering longer names so you  could run into sql-errors that are not giving a good message to the user.
Do you think the sql injection happens trough your membership provider tables? I think that is handled there.
0
 

Author Comment

by:bmanmike39
ID: 37017884
my provider tables have the string starting with <title in them because of the addition space.
0
 
LVL 25

Expert Comment

by:jogos
ID: 37018516
So you want a to customize your membership provider , take a look at http://www.asp.net/general/videos/how-do-i-create-a-custom-membership-provider.

More important than the length is what characters are allowed and what you do with it. Whithout ' " ; < = > it's a lot harder to use sql-injection.  And avoiding the use of dynamic sql will prevent the bad strings to be activated as a sql command.  
0
 

Author Comment

by:bmanmike39
ID: 37040004
No,  i want to change the datatype length in the userName field from the default of nvarchar(256) to nvarchar(15)  with out breaking the membership system.  All the members in the system are under 15 characters  
0
 
LVL 25

Expert Comment

by:jogos
ID: 37041109
Sql injection was thet topic wasn't it?
0
 

Author Comment

by:bmanmike39
ID: 37046306
Yes, and what to do to stop it in this circumstance.  The only field getting hack are the asp.net tables
0
 
LVL 25

Expert Comment

by:jogos
ID: 37047227
You are getting hacked and they use tables they suppose there are there while you use the membership authentication, so anyone knows their names.

And I did answer your membership question (which is for me another question):
- you have to limit the size of the input boxes (do you have a password-question?)
- you must see/test that nothing off the used code can crash uncontroled because you change the tables-specs and if that's not possible you must custumize the membership-solution

Did you see in the iis-logs how you are getting hacked? Do you have proof or are you just limiting all the fields that are possible? Do you use dynamic SQL.... or how do you open your database? User roles to limit sql-actions?

So I see I'm still asking same questions and did not have any response on those. I guess I (and others) gave enough answer on 'how to prevent' and what to check.

A last thing suggestion you can have from me:
- sql triggers or selfmade logging in your stored procedures can also help in
- sql trace will slow down and only will give result when you trace at the moment of the attack, so only if you're attacked frequently






0
 

Author Comment

by:bmanmike39
ID: 37048122
I view and attempted to do all that was suggested.  the attacks seems to be direct Though the url because the script being run on the against the site is no longer working against the table i restricted. I am just concerned about breaking the membership system if i restrict the number of character, in the asp.net tables

Also all of the input boxes on the front side of the site have been restricted, again except for the asp login control.  They have not been able to set up an account because the site does not have a join or membership form.  All accounts are added manually.

I connect to the db though a connection string local using windows authentication.

I'm trying the iis logs but what am i looking for?  

one line:
2011-10-20 23:53:11 80.86.166.402 GET /SIT NAME/WebResource.axd d=7YXovajRygwSNfqRjERoPVZIqoDpO7vDAoMZKFYRTWD9DHXbO3FblUMhY0iH9f0pmoM69o4oRp9OAU9NR0dFGk3PUUM1&t=634540719545726250 80 - 99.123.142.155 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.1;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+.NET4.0C) 200 0 0
0
 
LVL 25

Accepted Solution

by:
jogos earned 500 total points
ID: 37049122
Log
In log you can find the url-parameters the are passed so  normaly it should be something like
  USERID=12345  
but it's wrong when it's  showing like
   userid = 12345 or 1=1    
this is only pulling to much data because off the always true-condition
It gets more obvious when not only values are passed but real sql commands (DML or DDL)
    userid =12345;drop table users
=> it's obvious that this isn't so healty
=> any sql keyword in a url-parmeter: select, alter, drop , exec , insert, update, declare,...

On this link you find an example look for example after the 'Good luck'
http://stackoverflow.com/questions/3772793/has-anyone-found-out-how-this-was-done-sql-injection

SQL-Security
I read "against the table i restricted.".  It sounds to me as 'the broke in by the kitchen window, so I blocked the kitchen window but I left other windows as they were'.
I hope you restricted more than that.  The sql-login should only have the explicit security that is needed. They have altered one of your tables -> this couldn't happen if they don't have any right to create or alter a table.
 

Membership
You can alter, but as I earlier said 'test, test' and if problem you have to customize
What will help you to limit the column-size?
Are you sure it's not one of your accounts who is 'playing arround'?

It's not necessary to be logged in. If in the account-field they can add more characters or they can fabric the url themselves something like
 login.aspx?uid=12345andmysqlhackcodehere
0
 
LVL 25

Expert Comment

by:jogos
ID: 37054322
'I connect to the db though a connection string local using windows authentication.'

Windows authentication, and which user may that be (but don't answer this in public)? A specific windows user for your website? No, then it is better to make a specific sql login for your application and restrict it's permissions to the minimum
http://www.dnzone.com/go?503
0
 
LVL 25

Expert Comment

by:jogos
ID: 37054337
And for you I put your heading and your the only deal of your iislog together

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2011-10-20 23:53:11 80.86.166.402 GET /SIT NAME/WebResource.axd d=7YXovajRygwSNfqRjERoPVZIqoDpO7vDAoMZKFYRTWD9DHXbO3FblUMhY0iH9f0pmoM69o4oRp9OAU9NR0dFGk3PUUM1&t=634540719545726250 80 - 99.123.142.155 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.1;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+.NET4.0C) 200 0 0

0
 

Author Closing Comment

by:bmanmike39
ID: 37082565
Thanks for the help.  I just have to look into it more
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question