SQL Injection information for IIS admins and developers

The sql injection that has came up is affecting several ASP and ASP.NET applications. Although the only way to prevent an attack is validate the code, hopefully these posts will provide some direction. I included some links that discuss this more.

http://forums.iis.net/p/1149068/1868206.aspx (Post by Bill Staples)
http://forums.iis.net/t/1148917.aspx?PageIndex=1 (almost a million views, definitely worth reading)
http://forums.iis.net/p/1150026/1872364.aspx
http://forums.iis.net/p/1150023/1872371.aspx
http://forums.iis.net/p/987743/1278151.aspx

Here's a list of additional reading:

Building Secure ASP.NET Applications - Authentication, Authorization, and Secure Communication.
http://www.microsoft.com/downloads/details.aspx?FamilyID=055ff772-97fe-41b8-a58c-bf9c6593f25e&DisplayLang=en

Improving Web Application Security - Threats and Countermeasures
http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en

This link talks about the issue in ASP/NET perspective:SQL Injection Attacks:
http://msdn2.microsoft.com/en-us/library/aa302392.aspx#secnetch12_sqlinjectionattacks

Sample code provided by Microsoft to validate SQL statements.
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Log parser examples
http://weblogs.asp.net/steveschofield/archive/2008/04/26/clarification-on-iis-reported-sql-injection-exploits.aspx

Youtube
http://youtube.com (search for sql injections) This will show several videos posted on how people are doing this.

To do a quick find type from a command prompt

findstr "CAST(" ex080622.log > ss.txt (change the log file date)

Note the 'CAST' is case senstative

Hope this helps,

Steve Schofield

Published Monday, June 23, 2008 12:51 AM by steve schofield

Filed under: IIS, sql injection

Comments

# re: SQL Injection information for IIS admins and developers

Monday, June 23, 2008 4:07 AM by Steven

Steve,

First off, thanks the links are useful.

Theoretically, are there any means to ensure whatever the team does, does not leave any room for SQL Injection attacks?

# re: SQL Injection information for IIS admins and developers

Monday, June 23, 2008 7:56 AM by steve schofield

Hi Steven,

In theory, once you plug a box on the internet, it's not secure, not matter what you do. All you can do is do the best you can and follow best security practices. Validating request variables and not trusting user input is probably the one thing that will help the most. It might cause some issues with your application, but if it's done with security in mind, it should be sufficient of a reason.

Good luck,

Steve

# re: SQL Injection information for IIS admins and developers

Monday, June 23, 2008 9:12 AM by rrobbins

This blog article has some good information on exactly how these attacks are being done: blogs.ittoolbox.com/.../a-look-at-aprils-mass-sql-injection-attack-for-aspnet-sql-server-environments-25388

Steve Schofield Weblog

Search

Tags

News

Navigation

Archives

Blogs

Hosting Needs

Misc components

Misc Links