IIS SQL Injection woes...

Quite a fair bit OT for this NG by the way...

I'm curious about the best way to avoid SQL Injection attacks
against
my web server.

As a start, don't ever use string concatenation to build SQL
queries... use parameterised queries instead; this avoids most forms
of SQL injection regardless of the server / architecture.

ASP.Net can also help project various forms of script injection if
enabled

As for stealing content: do you mean re-posting content that they do
have legitimate access to download? (in which case the answer is
probably legal rather than system), or blocking access to things they
don't have access to? (in which case you need to find out about the
IIS and/or ASP.Net security models [or for your chosen product]).
Alternatively, push all such downloads through a proxying page which
accepts a QS param referencing the content, verifies access via your
bespoke model, and then streams the headers and content.

Marc

At 5 Jan 2007 01:12:22 -0800 si*****@gmail.com wrote:

>
Hi,

I'm curious about the best way to avoid SQL Injection attacks against
my web server.

Currently I'm on IIS.

I might be willing to switch to something like Apache but I'm not sure
if SQL Injection is
is a generic enough of an attack to cause me worries once I make the
switch.

I believe the SQL Injection attacks are unique to IIS. Switching to
Apache would be a smart move.

>
Also, I'm looking for ways to prevent hackers from stealing adult
content from my site.

Apache + Linux.

>
...Bob
http://SinBuzz.com
[ For those who live in Sin ]

--
Robert Heller -- 978-544-6933
Deepwoods Software -- Linux Installation and Administration
http://www.deepsoft.com/ -- Web Hosting, with CGI and Database
he****@deepsoft.com -- Contract Programming: C/C++, Tcl/Tk

Hi Mark,

>I'm curious about the best way to avoid SQL Injection attacks against
my web server.

As a start, don't ever use string concatenation to build SQL queries...
use parameterised queries instead; this avoids most forms of SQL injection
regardless of the server / architecture.

I'm unaware of any other forms of SQL injection other than what can occur
when SQL is concatenated from the usual hard-coded SQL strings and user
input. Parameterized queries should solve the problem completely.

Am I missing something?

<snip>

--
Dave Sexton
http://davesexton.com/blog

I was hedging... I agree - I just didn't want to specify it as an
absolute ;-p

Marc

Hi Robert,

IIS has nothing to do with SQL injection attacks, which can occur when your
code constructs an SQL statement based on hard-coded SQL and user input.
This can occur on any development platform, in any language and on any
server.

It's simply a matter of design.

--
Dave Sexton
http://davesexton.com/blog

"Robert Heller" <he****@deepsoft.comwrote in message
news:9d**************************@news.news-service.com...

At 5 Jan 2007 01:12:22 -0800 si*****@gmail.com wrote:

>>
Hi,

I'm curious about the best way to avoid SQL Injection attacks against
my web server.

Currently I'm on IIS.

I might be willing to switch to something like Apache but I'm not sure
if SQL Injection is
is a generic enough of an attack to cause me worries once I make the
switch.

I believe the SQL Injection attacks are unique to IIS. Switching to
Apache would be a smart move.

>>
Also, I'm looking for ways to prevent hackers from stealing adult
content from my site.

Apache + Linux.

>>
...Bob
http://SinBuzz.com
[ For those who live in Sin ]

--
Robert Heller -- 978-544-6933
Deepwoods Software -- Linux Installation and Administration
http://www.deepsoft.com/ -- Web Hosting, with CGI and Database
he****@deepsoft.com -- Contract Programming: C/C++, Tcl/Tk

si*****@gmail.com wrote:

Hi,

I'm curious about the best way to avoid SQL Injection attacks against
my web server.

Currently I'm on IIS.

I might be willing to switch to something like Apache but I'm not sure
if SQL Injection is
is a generic enough of an attack to cause me worries once I make the
switch.

Also, I'm looking for ways to prevent hackers from stealing adult
content from my site.

...Bob
http://SinBuzz.com
[ For those who live in Sin ]

This is a programming issue rather than a MSSQL or MySQL issue, any form
that uses a dynamically generated query string from user input can be used
for this sort of attack.

The users enter '*' or an equation that resolves to 'true' such as '1=1'.

So the dynamic sql could be something like,
UserInput = '*'
SELECT * FROM usernames WHERE name='UserInput';

That is obviously not what the programmer intended the users to be able to
do. After log in then the same system can be used to collect the entire
structure of the database and possibly even go as far as being able to
adjust grants. Because of SQL's ability to multi query, the UserInput can
be a query too, an UPDATE query for example within a SELECT query.

MySQL would be just as vulnerable as MSSQL in this, because it isn't the
fact that SQL is doing anything wrong, all that is wrong is that there is
no validation between the user input and the actual query.

No decent programmer allows any interaction with a database without the
validation phase.

SLQ | validation | user form

How or where that is done is up to the programmer. I have seen some very
weak validation done in javascript, better in java but best of all in on
the server with the validation code out of scope of the public side of the
web site.

Dynamic SQL will always have a place, because it is so usefull, but always
create the SQL at the server side and ALWAYS combine it with a server side
validation, possibly only ever using stored procedures for this. Afterall
you must know what is valid for a field so the invalid should be easy to
pick out.

Although I said that this is not a MSSQL issue, there is one important point
that has seperated most MySQL and MSSQL to make such weak code less likely
on a UNIX/Linux platform.

PHP tutorials, even from the earliest lessons always take you through a
validation phase, whether there is a SQL database involved or not, right
from your first tutorial of the type 'What is your name?', you are taught
to validate the input from the textBox, even in this case if it is only to
check a name was entered, then you are taken forward into making sure data
is in a range or of a certain type.

So that when the student comes to involving MySQL in their programs they
will think in terms of validation automatically. MSSQL, even it's own
generated code from it's ,net2 GUI, does not include any validation, you
are free to enter anything at all, even in the supposedly secure login
tool. So yes, MS are responsible for this weakness and very likely the vast
majority of code written using MS's .net2 GUI tool is susceptible.

But MySQL could be just as weak if you do not have a validation layer
between the user input and the database engine.

__/ [ Dave Sexton ] on Friday 05 January 2007 10:45 \__

"Robert Heller" <he****@deepsoft.comwrote in message
news:9d**************************@news.news-service.com...

>At 5 Jan 2007 01:12:22 -0800 si*****@gmail.com wrote:

>>>
Hi,

I'm curious about the best way to avoid SQL Injection attacks against
my web server.

Currently I'm on IIS.

I might be willing to switch to something like Apache but I'm not sure
if SQL Injection is
is a generic enough of an attack to cause me worries once I make the
switch.

I believe the SQL Injection attacks are unique to IIS. Switching to
Apache would be a smart move.

>>>
Also, I'm looking for ways to prevent hackers from stealing adult
content from my site.

Apache + Linux.

>>>
...Bob
http://SinBuzz.com
[ For those who live in Sin ]

Hi Robert,

IIS has nothing to do with SQL injection attacks, which can occur when your
code constructs an SQL statement based on hard-coded SQL and user input.
This can occur on any development platform, in any language and on any
server.

It's simply a matter of design.

In case it helps judgment, Microsoft-Watch switched from Windows/ISS to Red
Hat GNU/Linux/Apache last month. The only think going for Windows/IIS are
brochures.

Best wishes,

Roy

--
~~ Best wishes for the new year!

Roy S. Schestowitz | "Avoid missing ball for higher score"
http://Schestowitz.com | RHAT GNU/Linux ¦ PGP-Key: 0x74572E8E
11:00am up 78 days 21:14, 6 users, load average: 1.67, 1.40, 1.06
http://iuron.com - help build a non-profit search engine

Why do parameterise queries help? If someone could come up with a quick example, perhaps that would
show me?

Thanks in anticipation...

"Marc Gravell" <ma**********@gmail.comwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...
Quite a fair bit OT for this NG by the way...

I'm curious about the best way to avoid SQL Injection attacks
against
my web server.

As a start, don't ever use string concatenation to build SQL
queries... use parameterised queries instead; this avoids most forms
of SQL injection regardless of the server / architecture.

ASP.Net can also help project various forms of script injection if
enabled

As for stealing content: do you mean re-posting content that they do
have legitimate access to download? (in which case the answer is
probably legal rather than system), or blocking access to things they
don't have access to? (in which case you need to find out about the
IIS and/or ASP.Net security models [or for your chosen product]).
Alternatively, push all such downloads through a proxying page which
accepts a QS param referencing the content, verifies access via your
bespoke model, and then streams the headers and content.

Marc

Simple; in a parameterised query the RDBMS knows that the
parameterised token (be it "?" or "@something") represents a value,
and does not treat it as literal replacement - e.g.

string sql = "SELECT * FROM CUSTOMER WHERE Name = ?";

Then it doesn't matter what the parameter value contains...
string sql = "SELECT * FROM CUSTOMER WHERE Name = '" + name + "'";

In the latter, the "O'Reilly" family will cause problems, but not
nearly as much trouble as the "O' DELETE FROM CUSTOMER" family...

Marc

Thanks Marc, that's made it crystal clear.

Jay
"Marc Gravell" <ma**********@gmail.comwrote in message
news:em*************@TK2MSFTNGP04.phx.gbl...
Simple; in a parameterised query the RDBMS knows that the
parameterised token (be it "?" or "@something") represents a value,
and does not treat it as literal replacement - e.g.

string sql = "SELECT * FROM CUSTOMER WHERE Name = ?";

Then it doesn't matter what the parameter value contains...
string sql = "SELECT * FROM CUSTOMER WHERE Name = '" + name + "'";

In the latter, the "O'Reilly" family will cause problems, but not
nearly as much trouble as the "O' DELETE FROM CUSTOMER" family...

Marc

si*****@gmail.com wrote:

Hi,

I'm curious about the best way to avoid SQL Injection attacks against
my web server.

Marked as off-topic spam, Roy Schestowitz.

Please keep posts on-topic to the charter of this newsgroup; Linux
advocacy. Failing to do so disrupts
the group, floods it with off-topic spam and plays a part in ruining the
medium for everyone.

Please exercise some newsgroup etiquette, Roy Schestowitz. See:

http://www.faqs.org/faqs/usenet/posting-rules/part1/

["Followup-To:" header set to comp.os.linux.advocacy.]
On 2007-01-05, Robert Heller <he****@deepsoft.comwrote:

At 5 Jan 2007 01:12:22 -0800 si*****@gmail.com wrote:
I believe the SQL Injection attacks are unique to IIS. Switching to
Apache would be a smart move.

Nope. SQL injection attacks are against web applications, not web
servers. Whether you are running IIS or Apache is irrelevant. In
practice, SQL injections attacks against poorly written PHP applications
running on Apache are very common. Such widespread PHP applications as
wordpress and phpBB have been vulnerable, for example.

In comp.os.linux.advocacy si*****@gmail.com wrote:

Hi,

I'm curious about the best way to avoid SQL Injection attacks against
my web server.

Currently I'm on IIS.

I might be willing to switch to something like Apache but I'm not sure
if SQL Injection is
is a generic enough of an attack to cause me worries once I make the
switch.

Also, I'm looking for ways to prevent hackers from stealing adult
content from my site.

...Bob
http://SinBuzz.com
[ For those who live in Sin ]

Hi, if you dont understand that an sql injection attack has nothing to
do with what is discretely known today as a *webserver* in the line of
IIS or Apache, but instead what is discretely known today as a *database*
in the line of Oracle or MSSQL, then you need to SHUT THE FUCK UP AND
GO THE FUCK AWAY, ASSHOLE.

kthx,


-----yttrx

--
http://www.yttrx.net

In comp.os.linux.misc si*****@gmail.com wrote:
: Also, I'm looking for ways to prevent hackers from stealing adult
: content from my site.

Aside from taking your machine off the net there is no 100% foolproof
way to stop a determined cracker from getting into your system.
Best you can do is to make it difficult.

Stan
--
Stan Bischof ("stan" at the below domain)
www.worldbadminton.com

On Fri, 5 Jan 2007 05:45:23 -0500
"Dave Sexton" <dave@jwa[remove.this]online.comwrote:

Hi Robert,

IIS has nothing to do with SQL injection attacks, which can occur
when your code constructs an SQL statement based on hard-coded SQL
and user input. This can occur on any development platform, in any
language and on any server.

i think he is confusing with the sql worms from SQLServer.

--
Regards, Ed :: http://www.ednevitable.co.uk
just another python hacker
In an episode of Pokémon that never made it to the states Vin Diesel
rapes Ash’s mom.

st**@worldbadminton.com burped up warm pablum in
news:11**************@newsreg.cos.agilent.com:

In comp.os.linux.misc si*****@gmail.com wrote:
: Also, I'm looking for ways to prevent hackers from stealing adult
: content from my site.

Aside from taking your machine off the net there is no 100% foolproof
way to stop a determined cracker from getting into your system.
Best you can do is to make it difficult.

There are several ways to prevent stealing content. One way is to make
everything free so there is no loss. Not exactly what the OP wants to
hear but...someone named Paul could access all of your content by paying
for one monthly subscription. Everybody else could take content from
Paul. Now you've got one subscriber per month and all of your content
available from Paul for free.

--
Tris Orendorff
[Q: What kind of modem did Jimi Hendrix use?
A: A purple Hayes.]

st**@worldbadminton.com wrote:

In comp.os.linux.misc si*****@gmail.com wrote:
: Also, I'm looking for ways to prevent hackers from stealing adult
: content from my site.

Aside from taking your machine off the net there is no 100% foolproof
way to stop a determined cracker from getting into your system.
Best you can do is to make it difficult.

I am sure there are a few netbanks around the world
that will be sorry to hear that.

Arne

Arne Vajhøj wrote:

st**@worldbadminton.com wrote:

>In comp.os.linux.misc si*****@gmail.com wrote:
: Also, I'm looking for ways to prevent hackers from stealing adult
: content from my site.

Aside from taking your machine off the net there is no 100% foolproof
way to stop a determined cracker from getting into your system.
Best you can do is to make it difficult.

I am sure there are a few netbanks around the world
that will be sorry to hear that.

They know it already. They spend a fortune on guarding againts it.

Arne

The Natural Philosopher wrote:

Arne Vajhøj wrote:

>st**@worldbadminton.com wrote:

>>In comp.os.linux.misc si*****@gmail.com wrote:
: Also, I'm looking for ways to prevent hackers from stealing adult
: content from my site.

Aside from taking your machine off the net there is no 100% foolproof
way to stop a determined cracker from getting into your system.
Best you can do is to make it difficult.

I am sure there are a few netbanks around the world
that will be sorry to hear that.

They know it already. They spend a fortune on guarding againts it.

If they knew that it would not work, then they would
not spend the money (or even have money to spend).

Arne

They know it already. They spend a fortune on guarding againts it.

If they knew that it would not work, then they would
not spend the money (or even have money to spend).

That is a bit like saying "you can't 100% protect a bank with security
guards, cameras, dye-packs, auto-police-calls, panic buttons and
high-speed shutters; therefore we won't bother with any of those
things, and we won't open".

They make it as dificult to abuse as possible, and as traceable as
possible; law enforcement, insurance and recovery still have a part to
play, however.

Marc

Marc Gravell wrote:

>>They know it already. They spend a fortune on guarding againts it.

>If they knew that it would not work, then they would
not spend the money (or even have money to spend).

That is a bit like saying "you can't 100% protect a bank with security
guards, cameras, dye-packs, auto-police-calls, panic buttons and
high-speed shutters; therefore we won't bother with any of those
things, and we won't open".

They make it as dificult to abuse as possible, and as traceable as
possible; law enforcement, insurance and recovery still have a part to
play, however.

Marc

Yep. The best one I saw in a security audit was a guy with a SUN
workstation on his desk (and on the private internal network) with a
dial in modem permanently wired to a DDI line.

You want to steal customer lists?

Easy. Just work in their accounts department for 6 months.

>Robert Heller wrote:

I believe the SQL Injection attacks are unique to IIS. Switching to
Apache would be a smart move.

I'm sure this has been said but IIS or Apache have nothing to do with
SQL injections. Both can allow it and both can prevent it.

Also, I'm looking for ways to prevent hackers from stealing adult
content from my site.

Apache + Linux.

I am curious on how Apache + Linux keeps someone from stealing content?
To prevent (or try to prevent) someone from stealing you have to take
precautions and code your site in a smart manner. Strongest padlock in
the world won't help if you leave the key in it.
cbmeeks
http://www.codershangout.com

Marc Gravell wrote:

>>They know it already. They spend a fortune on guarding againts it.

>If they knew that it would not work, then they would
not spend the money (or even have money to spend).

That is a bit like saying "you can't 100% protect a bank with security
guards, cameras, dye-packs, auto-police-calls, panic buttons and
high-speed shutters; therefore we won't bother with any of those
things, and we won't open".

They make it as dificult to abuse as possible, and as traceable as
possible; law enforcement, insurance and recovery still have a part to
play, however.

So you also believe that a sufficiently skilled hacker could
break into any banks systems ?

Why don't they ?

The chance for being caught would be small and getting away
with a couple of billion dollars could tempt some ...

Arne

Not necessarily 'any' bank's systems. But certainly some bank's systems.

They try, continually.
"Arne Vajhøj" <ar**@vajhoej.dkwrote in message
news:45***********************@news.sunsite.dk...

Marc Gravell wrote:

>>>They know it already. They spend a fortune on guarding againts it.

>>If they knew that it would not work, then they would
not spend the money (or even have money to spend).

That is a bit like saying "you can't 100% protect a bank with security
guards, cameras, dye-packs, auto-police-calls, panic buttons and
high-speed shutters; therefore we won't bother with any of those
things, and we won't open".

They make it as dificult to abuse as possible, and as traceable as
possible; law enforcement, insurance and recovery still have a part to
play, however.

So you also believe that a sufficiently skilled hacker could
break into any banks systems ?

Why don't they ?

The chance for being caught would be small and getting away
with a couple of billion dollars could tempt some ...

Arne

Arne Vajhøj wrote:

Marc Gravell wrote:

>>>They know it already. They spend a fortune on guarding againts it.

>>If they knew that it would not work, then they would
not spend the money (or even have money to spend).

That is a bit like saying "you can't 100% protect a bank with security
guards, cameras, dye-packs, auto-police-calls, panic buttons and
high-speed shutters; therefore we won't bother with any of those
things, and we won't open".

They make it as dificult to abuse as possible, and as traceable as
possible; law enforcement, insurance and recovery still have a part to
play, however.

So you also believe that a sufficiently skilled hacker could
break into any banks systems ?

Yes. One way or another, they could.

>
Why don't they ?

Because its a darned sight easier to phish accounts. No special
technical skill required.

And how do you know they have not already done so anyway?

>
The chance for being caught would be small and getting away
with a couple of billion dollars could tempt some ...

Someone probably has, but one thing is for sure: No bank will admit it.

But te chances are actually quite high to get caught..at some stage teh
money goes somewhere..and accounts are traceable as are all transactions.

Why do you think its so hard to open an account these days? Money
laundering for terrorists? Rubbish. Its so that clever hackers (probably
working INSIDE the bank)can't channel funds into anonymous bank acounts.

I heard of one case yesterday here in the UK where the person in charge
of automatic payments in a company, changed the sort code details of
some payments to THEIR account. The NAMES remained the same. No one
spotted the number changes until he had cleaned up over £100,000, He
went to jail, but the bank refused to refund the money.

Arne

Hi Arne,

If you count social engineering, then anything is possible :)

--
Dave Sexton
http://davesexton.com/blog

"Arne Vajhøj" <ar**@vajhoej.dkwrote in message
news:45***********************@news.sunsite.dk...

Marc Gravell wrote:

>>>They know it already. They spend a fortune on guarding againts it.

>>If they knew that it would not work, then they would
not spend the money (or even have money to spend).

That is a bit like saying "you can't 100% protect a bank with security
guards, cameras, dye-packs, auto-police-calls, panic buttons and
high-speed shutters; therefore we won't bother with any of those
things, and we won't open".

They make it as dificult to abuse as possible, and as traceable as
possible; law enforcement, insurance and recovery still have a part to
play, however.

So you also believe that a sufficiently skilled hacker could
break into any banks systems ?

Why don't they ?

The chance for being caught would be small and getting away
with a couple of billion dollars could tempt some ...

Arne

Stephany Young wrote:

Not necessarily 'any' bank's systems. But certainly some bank's systems.

They try, continually.

I agree on that one.

There are some systems with security holes. It could even be
the majority of the systems.

But they are not easy to find even for a determined hacker.

Arne

Stephany Young wrote:

Not necessarily 'any' bank's systems. But certainly some bank's systems.

I was just objecting to the claim that it was impossible to
keep a determined hacker out.

Arne

The Natural Philosopher wrote:

Arne Vajhøj wrote:

>So you also believe that a sufficiently skilled hacker could
break into any banks systems ?

Yes. One way or another, they could.

>>
Why don't they ?

Because its a darned sight easier to phish accounts. No special
technical skill required.

But why settle for a couple of thousands here and there
from careless users instead of taking a billion or two if
you have the skills ?

>The chance for being caught would be small and getting away
with a couple of billion dollars could tempt some ...

Someone probably has, but one thing is for sure: No bank will admit it.

I don't believe in X-files, Area 51, UFO's etc..

But te chances are actually quite high to get caught..at some stage teh
money goes somewhere..and accounts are traceable as are all transactions.

It seems easier to me to clear the trails of a single huge money
transfer from hacking a bank, than by dozens or hundreds small
money transfers from fishing.

Why do you think its so hard to open an account these days? Money
laundering for terrorists? Rubbish. Its so that clever hackers (probably
working INSIDE the bank)can't channel funds into anonymous bank acounts.

I heard of one case yesterday here in the UK where the person in charge
of automatic payments in a company, changed the sort code details of
some payments to THEIR account. The NAMES remained the same. No one
spotted the number changes until he had cleaned up over £100,000, He
went to jail, but the bank refused to refund the money.

Inside jobs are much harder to protect against. And they do happen
occasionally.

Arne