I just finished watching a short video on YouTube of a 13-year-old kid showing people how to hack into a retail Web site. It only took him a couple of minutes and one simple technique to gain access to their customers’ personal information—including credit card numbers. I guess you can never tell whether or not a YouTube video is staged or rigged to make it appear to be more than it actually is; however, the method he demonstrated, while simple, is effective and can be used to exploit security holes in Web sites left open by sloppy programming.
How did he do it? He used a SQL Injection Attack. He knew that by entering an escape character followed by a simple SQL statement into a form on the site it would create a query on the fly, incorporate his raw input, and pass it to the database. In his demonstration he extended the login and password by entering an escape character that instructed the database to treat his input as a SQL statement. Then he entered an ”or” statement that would always resolve to true. So when the well-meaning database processed his credentials, it granted him full access to the site based on the truth of the “or” condition he’d entered.
So what’s the solution? Your site should always validate user input. Additionally, it is easy for savvy users to manipulate data and bypass security measures enabled on the client, so to be safe you must perform the validation on the server. To keep your site secure from this type of attack, you should check the size, type, format, and value range of the data to ensure it is what you expected and filter out escape characters that could be interpreted as a command by a database engine or any other Web application.
What’s one of the easiest ways to validate user input on the server and check for SQL injection attacks? UrlScan 3.0. This handy utility can be set up to act as a global or site-level filter to check HTTP requests and to block harmful requests from being processed. In addition to being a practical tool for preventing SQL injection attacks, UrlScan 3.0 can be configured to restrict access to a variety of HTTP requests that could potentially cause damage to your Web site. UrlScan 3.0 is easy to download and configure and IIS 5.1 and later supports it. You can download UrlScan 3.0 from the IIS.Net Download page.