http://weblogs.asp.net/pleloup/archive/2008/12/20/how-to-protect-yourself-against-the-latest-sql-injection.aspxNow it's time to rejoice and be positive. Following my different posts about the latest SQL injection attacks, I got all sort of comments. Roughly half of the commenters saying I am a moron, why you don't go back to school and protect your databases,enCommunityServer 2007 SP1 (Build: 20510.895)http://weblogs.asp.net/pleloup/archive/2008/12/20/how-to-protect-yourself-against-the-latest-sql-injection.aspx#6800738Mon, 22 Dec 2008 13:16:09 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6800738JonathanJonathan<p>How exactly are they able to execute the SQL code on your server?</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6800738" width="1" height="1">http://weblogs.asp.net/pleloup/archive/2008/12/20/how-to-protect-yourself-against-the-latest-sql-injection.aspx#6799997Sun, 21 Dec 2008 20:37:11 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6799997pbzpbz<p><em>&quot;I confirm that my code is doing all the checks required on the frontend. Because it&#39;s a cookie exploiting a flaw in IE, the execution of the code is totally transparent, nothing really I can do in my code. However securing the basics of SQL Server like the EXEC rights on the Master table has been successful. Paschal&quot;</em>&nbsp;</p> <p>If this a new threat that can bypass all my parameterized queries I&#39;m all ears! If that&#39;s the case &nbsp;a simple proof of concept would be helpful. What you&#39;re doing here, however, is securing SQL Server rather than fixing your application. Don&#39;t get me wrong, nothing wrong in securing your database, but you should fix your application first. If you can prove us that&#39;s fixed and the trojan successfully bypasses your checks please let us know with an example. Thanks.</p><img src="http://weblogs.asp.net/aggbug.aspx?PostID=6799997" width="1" height="1">http://weblogs.asp.net/pleloup/archive/2008/12/20/how-to-protect-yourself-against-the-latest-sql-injection.aspx#6799171Sat, 20 Dec 2008 14:54:54 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6799171ca8msmca8msm<blockquote> <p><em>&quot;Thanks for that info. Yes I am surely stupd because I don&#39;t know all the web config attributes by heart. Come on,&nbsp;be nice ;-)&nbsp; And yes if Microsoft can provide this behavior by default that will save a lot of my time Thanks anyway for the tip! - Paschal&quot;</em>&nbsp;</p></blockquote> <p>&quot;I think that the new threat posed by the trojan recently is that it used a flaw in Internet Explorer to be able to expose a cookie to a request stream and execute some SQL command.&quot;</p> <p>It&#39;s not really a flaw, and it&#39;s not just limited to IE. No-one apart from the caller should be able to view your cookies so if they are being sent elsewhere it&#39;s because YOU (not Microsoft) haven&#39;t locked them down successfully. Usually, a form of XSS is used to trick the page into sending the cookie elsewhere so I&#39;d suggest reading up on that first. Here&#39;s our wiki article on the subject:</p> <p><a href="http://wiki.lessthandot.com/index.php/ASP.NET:_How_to_set_cookies_as_httponly" target="_new" rel="nofollow">wiki.lessthandot.com/.../ASP.NET:_How_to_set_cookies_as_httponly</a></p> <p>I really wish people would take the responsibility of securing their websites themselves rather than looking to blame the web server or the server-side language they use. They provide the tools to serve your site but it&#39;s you who needs to secure it.</p><img src="http://weblogs.asp.net/aggbug.aspx?PostID=6799171" width="1" height="1">http://weblogs.asp.net/pleloup/archive/2008/12/20/how-to-protect-yourself-against-the-latest-sql-injection.aspx#6799151Sat, 20 Dec 2008 14:14:09 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6799151How to protect yourself against the latest SQL injection - help.netHow to protect yourself against the latest SQL injection - help.net<p>Pingback from &nbsp;How to protect yourself against the latest SQL injection - help.net</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6799151" width="1" height="1">