Passionately curious about Data, Databases and Systems Complexity. Data is ubiquitous, the database universe is dichotomous (structured and unstructured), expanding and complex. Find my Database Research at SQLToolkit.co.uk . Microsoft Data Platform MVP

"The important thing is not to stop questioning. Curiosity has its own reason for existing" Einstein

Wednesday 6 May 2009

SQL Injection

SQL Injection is a common vulnerability which can lead to the database being disabled, the web site displaying malicious contnet or even the the database can be destroyed. . Attacks come primarily through Web applications that allow an attacker to execute their own SQL commands on the application database. The defense against SQL-injection attacks must be code-based.

Protecting your code

A few simple steps you can take to protect your Web applications from SQL-injection attacks.

-Principle of Least Privilege
The account an application uses to connect to the database should have only the privileges that application requires.

-Validate All Input
Make the input is what you expect it to be.

-Avoid Dynamic SQL
Dynamic SQL is a great tool for performing adhoc queries, but combining dynamic SQL with user input creates exposure. You should replace dynamic SQL with prepared SQL or stored procedures .

-Use Double Quotes
Replace all the single quotes that your users' input contains with double quotes. Single quotes often terminate SQL expressions and give the input more power than is necessary.

Tools to help prevent and identify SQL Injection

Ensure the SQL Server is fully patched to include all security vulnerabilities

HP Scrawlr

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly.
Download here

UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process.
Download here

Microsoft Source Code Analyzer for SQL Injection tool
The tool is a static code analysis tool that helps you find SQL injection vulnerabilities in Active Server Pages (ASP) code.
Download here

SQLInjectionFinder (v1.5.0) Tool to help determine .asp pages targeted by recent SQL Injection attacks
Download here

No comments:

Post a Comment

Note: only a member of this blog may post a comment.