CodersBarn.com
The ASP.NET Community Blog
Home

500,000 SQL Injection Attacks this Week

April 26, 2008 23:38 by agrace

Web Server Attacks From the Washington Post, April 25, 2008:

Quote... Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Unquote...

Apparently there have been an estimated half-million attacks on different Web sites this week alone. There seems to have been a rush to judgement in trying to point the finger of blame at a recent Microsoft Security Advisory (951306). According to Bill Staples, Product Unit Manager for IIS, "Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."

These attacks are not related to said security advisory but are aimed at sites, on any platform, that are open to SQL Injection. What we are really seeing is a growth in SQL Injection over other types of attack. Although around for a long time now, this technique has been gaining in popularity among hackers over the last couple of years, and seems to be more popular now than cross-site scripting or buffer overflow exploits. I would argue that this would not be the case for ASP.NET sites if basic input validation and SQL parameters in combination with stored procedures were employed, as is the recommended practice.

At the very least, even if you are still using ASP and haven't time to convert to stored procedures, check your input data! All input data is evil and when designing your application you should take time to consider where else that input may be coming from, such as query parameters, cookies, etc. Watch this space...

kick it on DotNetKicks.com


Tags:
Categories: ASP.NET | IIS
Actions: E-mail | Permalink | Comments (6) | Comment RSSRSS comment feed

Related posts

Comments

April 29. 2008 22:38

ken

Nobody seems to want to pay for good (much less great!) software. Business decision-makers have this notion that writing software is easy and takes little skill, and that software developers are out to screw them at every turn. So, they do one of the following:

1) pick the development company with the cheapest quote
2) if developing in-house, they pay the developers far less than the company average
3) if in-house developers are actually paid well, there's still the possibility that they're far over-tasked and/or under-staffed (both due to to complete thriftiness on their employer's part) so that projects are doomed from the onset

Exhibit A: http://www.711chan.org/ex/res/334.html

What you see there (in Exhibit A), is a list of companies that chose to go the cheap route. The old saying, you get what you pay for, still applies...

I'm not saying its right to exploit or deface websites, however, but if you will notice, this happens from time to time. This time it was a wave of SQL-I attacks, but it could just as easily have been insecure OS/applications, XSS, XSRF, etc., and everytime I see it happen, I get the mental image of a wild and raging forest fire, burning everything in its path, but what's left is plenty of room for regrowth and renewal.

ken

April 29. 2008 22:59

agrace

The following is the Blog Thread from Bill Staples (one of the managers on the IIS teams) and is the official Microsoft thread for this issue: http://forums.iis.net/p/1149068/1868206.aspx. The most recent post is actually a few scripts for ASP and ASP.Net that help protect against SQL Injection attacks. The thread will continue to have more information but I’ve included the latest information for your convenience:



Re: SQL Injection Attacks on IIS Web Servers Today we provided a few scripts for ASP and ASP.net developers to help protect against SQL Injection attacks. Please see:

Nazim's post on steps to protect your classic ASP application here:

blogs.iis.net/.../...jection-from-classic-asp.aspx

and Stefan's post on how to protect your ASP.NET application here:

http://forums.asp.net/t/1254125.aspx

agrace

April 30. 2008 03:07

Aaronontheweb

500,000 injections this week? This is 2008, right? Damn - when will people learn to use the plethora of injection-safe technologies out there? Stored Procedures have been around for almost a decade for crying out loud!

Aaronontheweb

April 30. 2008 05:19

agrace

Well, it looks like they're hiring:

jobs.un.org/.../Display_Vac_List.aspx

Wink

agrace

April 30. 2008 09:11

pingback

Pingback from alvinashcraft.com

Dew Drop - April 30, 2008 | Alvin Ashcraft's Morning Dew

alvinashcraft.com

April 30. 2008 20:07

pingback

Pingback from tathata.wordpress.com

links for 2008-05-01 « Tathata - d’ Observer

tathata.wordpress.com

Add comment


(Will show your Gravatar icon)  

  Country flag

[b][/b] - [i][/i] - [u][/u]- [quote][/quote]



Live preview

May 17. 2008 03:28

Search


About the Author

Anthony Grace Anthony Grace
Irishman in California.

E-mail me Send mail

Tags

Categories


Blogroll

Disclaimer

  • The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

    © Copyright 2008

 
Powered by BlogEngine.NET 1.3.1.0 | Original Design by Arcsin, Adapted by Anthony Grace