The SQL Injection Attack is alive and well.
-
Yup. In the sense that I was head of the dept that employed them and conducted the interviews. LAN only stuff back then though. From the comments it would seem that things have changed more than a little since then.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
That makes more sense. Typically the SA's I've worked with are deployment monkeys that just keep the OS running.
Curvature of the Mind now with 3D
-
AspDotNetDev wrote:
but the main step is to not use code that allows for SQL injection.
A proper use of security would help as well. It's one thing to allow a user to type or inject "delete ...", it's quite another to actually authorise a user to do that. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
Indeed, it would help, but still doesn't prevent all forms of mischief. If you have an SP that deletes records of a particular type, then that may allow a user to cause some damage. The main form of defense is the code (parameterized queries).
-
According to this report[^]. It is difficult to believe that Systems Administrators are unaware of this exploit and yet numerous sites are still vulnerable.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
from the article:
Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations.
A lot of these would be single devs, possibly juniors getting experience. If I saw this from a senior dev, whoosh out the door. SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Never underestimate the power of human stupidity RAH
-
Henry Minute wrote:
It is difficult to believe that Systems Administrators are unaware of this exploit
You don't spend enough time in Q&A: nobody seems to be taught about it, even in passing... :sigh:
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."
I will say, the one SQL class I took to get my recent associates degree, never mentioned anything remotely close to this. It was all about how to build a table, keys etc.. without ever ONCE mentioning anything about "maybe this is not good practice" or the fact that if something is poorly constructed, it is simple to "hack" with injections. Neither did anything in ANY of my programming classes. I've learned more about security on CP than was ever even mentioned in my school.
Programming is a race between programmers trying to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots, so far... the universe is winning.
-
from the article:
Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations.
A lot of these would be single devs, possibly juniors getting experience. If I saw this from a senior dev, whoosh out the door. SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Never underestimate the power of human stupidity RAH
Mycroft Holmes wrote:
A lot of these would be single devs, possibly juniors getting experience.
Good point.
Mycroft Holmes wrote:
SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Quite agree.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
OriginalGriff wrote:
It was in with your Certificate
Speaking of, did you get yours yet?
No, but I assume that the Hamsters are swimming across the Atlantic with it gripped in their teeth - that's got to take a while...
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."
-
I will say, the one SQL class I took to get my recent associates degree, never mentioned anything remotely close to this. It was all about how to build a table, keys etc.. without ever ONCE mentioning anything about "maybe this is not good practice" or the fact that if something is poorly constructed, it is simple to "hack" with injections. Neither did anything in ANY of my programming classes. I've learned more about security on CP than was ever even mentioned in my school.
Programming is a race between programmers trying to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots, so far... the universe is winning.
Damn. I hate it when I am right! :-D
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together. Manfred R. Bihy: "Looks as if OP is learning resistant."
-
Isn't that more the responsibility of a programmer than a systems administrator? I suppose a properly secured database helps (i.e., you can disallow arbitrary SQL code and only allow stored procedures to execute), but the main step is to not use code that allows for SQL injection.
I agree. Anecdotally, most SysAdmins I know are well aware of this attack vector, but many developers I know still do string sanitation instead of parameterization. This is squarely in developer and QA's corners. DBAs are only involved if they are part of the code auditing process (MANY times, they are not). SysAdmins would rarely ever be involved except when they set up IPS rules because their developer colleagues can't write secure code.
-
According to this report[^]. It is difficult to believe that Systems Administrators are unaware of this exploit and yet numerous sites are still vulnerable.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
I got to do so seek & destroy on Friday to look for this 'new' exploit, and while going through files and DBs I read more and more on this attack. First of all, there was nothing new about this attack. Second, this isn't a new attack. Forensic packet analysis has shown this has been going on since October. Third, Websense reporting that it affects Sql Server 2000, 2003, & 2005. A- I must have missed MS releasing Sql Server 2003 B- IMHO this method could affect any DB, as the root of the problem was the application C- IMHO the reason they hadn't seen 2008 affected is due to the fact of better coding standards now in place C1- Less ASP sites on the web C2- More validation in the applications to detect & eliminate rogue data C3- The various frameworks applications used to talk to DB (LINQ, Entity Framework) I will not relieve the DBA of responsibility, as I also believe that Stored Procedures should be the norm for I/O operations.
-
According to this report[^]. It is difficult to believe that Systems Administrators are unaware of this exploit and yet numerous sites are still vulnerable.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
Was that a genuine report or an April fools?
Pete
-
Was that a genuine report or an April fools?
Pete
I took it as genuine.
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.” I wouldn't let CG touch my Abacus! When you're wrestling a gorilla, you don't stop when you're tired, you stop when the gorilla is.
-
IMO it's the job of the DBA to allow only SP's and the developer to sanitize any input parameters. So, it's everyone's fault. Given the description of the hacked sites, I'm guessing this is the exploitation of a an open source or cheap product they all used in common, assuming that SQL injection would have been accounted for. It could even be an inside job from the developers of the common software.
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming "Wow! What a Ride!" — Hunter S. Thompson
Current best practice is to use parameterized queries. This is what most ORMs do under the hood. If you only allow SPs, you have to hand constructed SQL to your ORM, which negates the reason for using an ORM in the first place. If you are not using an ORM, then I would agree that the safest thing to do is to only allow SPs at the DB level, but it is not the only solution. If you have decent developers, parameterized queries is still the way to go. Limiting DB access to SPs is not necessarily best practice, but does help protect you from developers that don't know what they are doing (best thing is probably not to hire those guys in the first place).
Kevin Rucker, Application Programmer QSS Group, Inc. United States Coast Guard OSC Kevin.D.Rucker@uscg.mil "Programming is an art form that fights back." -- Chad Hower
-
from the article:
Generally, the sites being hit are small businesses, community groups, sports teams and many other mid-tier organisations.
A lot of these would be single devs, possibly juniors getting experience. If I saw this from a senior dev, whoosh out the door. SQL Injection is sooo easy to stop it is ridiculous that it is still a threat.
Never underestimate the power of human stupidity RAH
This ignores the fact that the exploit most likely comes from third-party code, so it's not at all easy to stop. The irony is that if you roll your own web framework your site might be much more secure even if your code much less secure by the virtue of the fact that no one will bother to try to hack you. I still wouldn't recommend it though.
-
This ignores the fact that the exploit most likely comes from third-party code, so it's not at all easy to stop. The irony is that if you roll your own web framework your site might be much more secure even if your code much less secure by the virtue of the fact that no one will bother to try to hack you. I still wouldn't recommend it though.
CurtainDog wrote:
This ignores the fact that the exploit most likely comes from third-party code
This is still a decision someone makes and that person needs to be responsible for that decision. Mind you I know nothing about said frameworks, I am a roll yer own type.
Never underestimate the power of human stupidity RAH
