Sunday, May 4, 2008

It's SQL injection, Not IIS vulnerability

Half A Million Microsoft-powered Sites Hit With SQL Injection.

Few days ago, people thought it was an IIS vulnerability but eventually it is a SQL injection. And Aaron Bertrand have few pieces of advices for web developers:
1) Do not expose your SQL Server to the Internet directly.

From TechNet: A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP Echo message, you must enable the Allow incoming echo request setting.
Beware if you turn this on!

2) Make your passwords strong.
3) Follow the principle of least privilege Always use stored procedures, or at least parameterized statements .
4) Use TRY/CATCH to return more generic error messages.
5) Do not store passwords in your Users table.

And some tips from Open Web Application Security Project (OWASP), there're few ways for testing the SQL Server:
1: Testing for SQL Injection in a GET request.
2: Testing for SQL Injection in a GET request (2).
3: Testing in a POST request
4: Yet another (useful) GET example
5: custom xp_cmdshell (Especially those who are still using MSSQL 2000!)
6: Referer / User-Agent
7: SQL Server as a port scanner
8: Upload of executables
9: bruteforce of sysadmin password.

Have you tried it on your server?

2 comments:

Fred said...

Right, it's actually an issue with improperly secured code that wasn't created following security best practices. It's important to make sure your database is secure from SQL Injections; there's a video explaining how to defend your site on Hello Secure World - http://www.microsoft.com/hellosecureworld/level7

gary said...

Hi fred,
thanks for your link!