MS SQL Database Breach
-
Hi there, Please am currently having serious issue since my site database is at risk. Someone somehow or one way get access to my database and I don't know how he/she managed to do it. Of recent I discovered various comments on post and the clients now reported to me. When I really checked, I see that is true. The hacker have access to all registered users password and username. So what can I do please to avoid this?
-
Hi there, Please am currently having serious issue since my site database is at risk. Someone somehow or one way get access to my database and I don't know how he/she managed to do it. Of recent I discovered various comments on post and the clients now reported to me. When I really checked, I see that is true. The hacker have access to all registered users password and username. So what can I do please to avoid this?
-
Hi there, Please am currently having serious issue since my site database is at risk. Someone somehow or one way get access to my database and I don't know how he/she managed to do it. Of recent I discovered various comments on post and the clients now reported to me. When I really checked, I see that is true. The hacker have access to all registered users password and username. So what can I do please to avoid this?
Make sure your database server is behind a firewall, and is not exposed to the internet. Review all of your code for SQL Injection vulnerabilities, which is the most likely culprit. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^] Stop storing passwords insecurely. Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^] In terms of recovery, you'll need to restore your databases from the last known-good backup before the databases were defaced. You'll also need to notify all of your users of the data breach, and notify your local data protection controller. You may also need to prepare to pay a large fine if any of your users are covered by GDPR or similar legislation.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Make sure your database server is behind a firewall, and is not exposed to the internet. Review all of your code for SQL Injection vulnerabilities, which is the most likely culprit. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^] Stop storing passwords insecurely. Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^] In terms of recovery, you'll need to restore your databases from the last known-good backup before the databases were defaced. You'll also need to notify all of your users of the data breach, and notify your local data protection controller. You may also need to prepare to pay a large fine if any of your users are covered by GDPR or similar legislation.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Wow, thanks! I know I can count on you guys from codeproject. I will take action right away
-
Change the administrator password immediately. Then make sure all other passwords are changed as soon as possible.
Thanks Sir! You have always been helpful. I have already changed the database password
-
Make sure your database server is behind a firewall, and is not exposed to the internet. Review all of your code for SQL Injection vulnerabilities, which is the most likely culprit. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^] Stop storing passwords insecurely. Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^] In terms of recovery, you'll need to restore your databases from the last known-good backup before the databases were defaced. You'll also need to notify all of your users of the data breach, and notify your local data protection controller. You may also need to prepare to pay a large fine if any of your users are covered by GDPR or similar legislation.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks for your help so far and sorry for disturbing you. Will it be possible for attacker to select all table names from my database without having idea of the database name or anything related using the browser address bar or any input field of my site? If yes, how can I prevent this? And, since some of the attacks might be triggered from the broswer address bar by manipulating my site url. My question is, can a routed url i.e www.mysite.com/user/0683 be manipulated? If yes, how do I prevent this?
-
Thanks for your help so far and sorry for disturbing you. Will it be possible for attacker to select all table names from my database without having idea of the database name or anything related using the browser address bar or any input field of my site? If yes, how can I prevent this? And, since some of the attacks might be triggered from the broswer address bar by manipulating my site url. My question is, can a routed url i.e www.mysite.com/user/0683 be manipulated? If yes, how do I prevent this?
Otekpo Emmanuel wrote:
Will it be possible for attacker to select all table names from my database without having idea of the database name or anything related using the browser address bar or any input field of my site? If yes, how can I prevent this?
Yes, if your code is vulnerable to SQL Injection[^], an attacker can still dump your entire database. Blind SQL Injection | OWASP[^] Hacking is child's play - SQL injection with Havij by 3 year old[^] The fix is to always use properly parameterized queries, and never concatenate values into the query itself - especially if those values could potentially be controlled or manipulated by the user.
Otekpo Emmanuel wrote:
My question is, can a routed url i.e www.mysite.com/user/0683 be manipulated?
Assuming the number is a sequential ID for your users, an attacker could try changing it to see if that can access information for other users. This is known as an Insecure Direct Object Reference (IDOR). If your code doesn't validate the user's permissions, this can lead to a security vulnerability. Insecure Direct Object Reference Prevention - OWASP Cheat Sheet Series[^] The fix is to always validate that the currently authenticated user has permission to access the data they are requesting.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Otekpo Emmanuel wrote:
Will it be possible for attacker to select all table names from my database without having idea of the database name or anything related using the browser address bar or any input field of my site? If yes, how can I prevent this?
Yes, if your code is vulnerable to SQL Injection[^], an attacker can still dump your entire database. Blind SQL Injection | OWASP[^] Hacking is child's play - SQL injection with Havij by 3 year old[^] The fix is to always use properly parameterized queries, and never concatenate values into the query itself - especially if those values could potentially be controlled or manipulated by the user.
Otekpo Emmanuel wrote:
My question is, can a routed url i.e www.mysite.com/user/0683 be manipulated?
Assuming the number is a sequential ID for your users, an attacker could try changing it to see if that can access information for other users. This is known as an Insecure Direct Object Reference (IDOR). If your code doesn't validate the user's permissions, this can lead to a security vulnerability. Insecure Direct Object Reference Prevention - OWASP Cheat Sheet Series[^] The fix is to always validate that the currently authenticated user has permission to access the data they are requesting.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Ok. Thanks
