General discussion

Locked

SQL Injection Attacks

By xcode ·
My web server has MsSql at the back-end and asp at the front-end. A UserID, Password, and a dynamically generated code field are present on the website for the user to logon. There are other features in the website such as search n advanced search.

At the back-end, we are using stored procedures to secure against injection attacks. However, according to a result audit done on the site using tools (both commercial n open-source), the results have been otherwise. A clear situation of successful Sql injection attack has been shown in the report (in the advanced search field and other pages).

My question and concern is:
a) Does using stored procedures not thwart the Injection attack?
b) What other possible method can i implement to ensure consistency n security over the site.
c) How do I test the security myself (with or without the third-party tools)?

Your opinions and suggestions are welcome.
Thanks.

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by erdeira In reply to SQL Injection Attacks

I cannot speak for MySQL specifically since I develop for Oracle and SQLServer databases, but the principle should be the same.

Q: Does stored procedure use thwart injection attacks?

A: It depends upon the stored procedure employed

One of the primary reasons that stored procedures are developed is that they facilitate the use of validation logic. If a stored procedure does not perform any validation of input - e.g. it simply accepts parameters without validation - then it is vulnerable.

For example: a common validation step is to confirm that input does not contain a semicolon

Collapse -

by xcode In reply to

Yes the back-end is using validation check against the input on site fields - user id, passwd, and the dynamically generated code.

However, the fields of concern are other pages (search, advanced search etc.) which are susceptible to the injection.

How can I check in manually or thru tools about the kind of values that result in unexpected output from the site.
Also, how should I secure my site against these procedures?

Thanks for your efforts.

Collapse -

by xcode In reply to SQL Injection Attacks

Anyone!!!?

Collapse -

by alin.selicean In reply to SQL Injection Attacks

To answer your question:
a) you can use whatever you want for business logic, but if you don't check user input for suspicios characters and/or strings, you're vulnerable.
b) there are no other methods but user input checking to mitigate SQL Injection attacks.
c) do a google on "sql injection" (here's the link for your convenience: http://www.google.ro/search?hl=ro&q=sql+injection&meta=) and in the results you should be able to find a SQL Injection whitepaper (here's the link: http://www.ngssoftware.com/papers/advanced_sql_injection.pdf). Read it as it describes a basic SQL Injection attack which you can exercise. Or, here: http://www.acunetix.com/websitesecurity/sql-injection.htm, you can read how to find out if you're vulnerable or not and what can you do to fix it. There no predefined way of eliminating a SQL injection vulnerability (i.e. to use whatever tool and you're safe). Plain and simple user input validation.

HTH,
Alin

Collapse -

by alin.selicean In reply to

You asked about how to check the results in other pages.

One idea would be to use Response.Write "string" with user input constructed with the rest of the search statement or whatever is used to build the search criteria. Then use a Response.End to stop the ASP processing and read the final SELECT built with whatever criterias specified by user. That's kind of debugging. If you want to capture user input, you can use another table to record all of the search criterias entered by a user and then you can inspect that table to discover attack attempts and, if required, to take actions accordingly.

That's an idea, which might not be the best one. But I hope it helps.

Alin

Collapse -

by xcode In reply to SQL Injection Attacks

Thanks Alin.

I have read the topics you have specified. I have Acunetix v3.0 and tested the site thru it. Through it was I able to get the possible weaknesses in the site and hence this Question.

As you suggested, I had already worked out injection strings to my understanding and knowledge of this subject. I also studied the report generated by the Acunetix with the tested parameters making site vulnerable. However, the security of the website could not be completely tested with these information.

I need to test in max. possible detail considering the possible methods that intruders may employ. I understand this might be a difficult question to explain for someone & work out for me as well but I kno its an achievable metric.

All suggestions and guidance on this subject is absolutely welcome.

Thanks for your time.

Collapse -

by alin.selicean In reply to SQL Injection Attacks

Hi
if you say that you secured the web site the best you knew, here's another method of dealing with this kind of attacks, of course if you can afford it or the nature of your data allows it. You can use two SQL servers, one as back-end (BE) (which will hold your data) and another one as your front-end (FE) (holding only a read-only copy of your data). Data is transferred from BE to FE using DTS or any other acceptable way. The web site will pull its data from FE. If FE is compromised, you can restore it in no time (there are several way to achieve this). If there are data that needs to be transferred from FE to BE, you can figure out a way to transfer it, with further validation. If database is not bigger than 2G, you might want to consider using MSDE for FE (or SQL 2005 Express, and the limit rises up to 4G).

You also might want to consider if your search pages are susceptible to revealing any sensitive data as a result of a SQL injection attack.

Alin

Collapse -

by xcode In reply to SQL Injection Attacks

True Alin. That is a good option that can be implemented.

The best way I secure my webserver is by regularly updating the system and ensuring my box has the latest patches n virus/trojan definitions.

However, even if I create 2 servers (FE+BE), the situation may be less severe but the priority level for both of them wud still be high. The attacker might now be able to hit the data as critically as earlier, but the chances of him/her 'completely' unable to access the db is still equal to present.

Since data on these db is critical, my first concern is to ensure strong authentication and validation along with structuring the site design n code structure (if needed be) so as to render SQL Injection attacks ineffective.

I have studied the audit report from Acunetix & tried to use the specified parameters on the site, but it didnt work out well. It's kind of incomplete information for me until I understand the weakness & test appropriately.

Thanks again for your efforts.
More suggestions and opinions from you & people from the domain are Welcome.

Collapse -

by alin.selicean In reply to

Hi

Can you send me the report from Acunetix, of course without any parts that you consider sensitive. If I can have a look at the report, I might be able to suggest more options.

You have in my profile a link to my personal web site, where you can find my contact details.

Cheers,
Alin

Collapse -

by xcode In reply to SQL Injection Attacks

Point value changed by question poster.

Back to Security Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums