Protection from SQL Injection

I just finished watching a short video on YouTube of a 13-year-old kid showing people how to hack into a retail Web site. It only took him a couple of minutes and one simple technique to gain access to their customers’ personal information—including credit card numbers. I guess you can never tell whether or not a YouTube video is staged or rigged to make it appear to be more than it actually is; however, the method he demonstrated, while simple, is effective and can be used to exploit security holes in Web sites left open by sloppy programming.

How did he do it? He used a SQL Injection Attack. He knew that by entering an escape character followed by a simple SQL statement into a form on the site it would create a query on the fly, incorporate his raw input, and pass it to the database. In his demonstration he extended the login and password by entering an escape character that instructed the database to treat his input as a SQL statement. Then he entered an ”or” statement that would always resolve to true. So when the well-meaning database processed his credentials, it granted him full access to the site based on the truth of the “or” condition he’d entered.

So what’s the solution? Your site should always validate user input. Additionally, it is easy for savvy users to manipulate data and bypass security measures enabled on the client, so to be safe you must perform the validation on the server. To keep your site secure from this type of attack, you should check the size, type, format, and value range of the data to ensure it is what you expected and filter out escape characters that could be interpreted as a command by a database engine or any other Web application.

What’s one of the easiest ways to validate user input on the server and check for SQL injection attacks? UrlScan 3.0. This handy utility can be set up to act as a global or site-level filter to check HTTP requests and to block harmful requests from being processed. In addition to being a practical tool for preventing SQL injection attacks, UrlScan 3.0 can be configured to restrict access to a variety of HTTP requests that could potentially cause damage to your Web site. UrlScan 3.0 is easy to download and configure and IIS 5.1 and later supports it. You can download UrlScan 3.0 from the IIS.Net Download page.

3 Comments

  • If a site is written correctly SQL injection should not be an issue at all. The basic steps that should be taken include...

    1. Always use parameterised Queries or Stored Procedures.
    2. The SQL login used by the scripts in the site should only have access to do what is required and nothing more. For example if the site user only requires access to limited sub-set of stored procedures, ensure that these stored procedures are all it can access.

    All the user input validation in the world cannot fully protect against SQL injection. However if you religiously follow these 2 basic basic principals it will.

    Basically the only reason SQL injection works, is because sites dynamically create arbitrary SQL using hard coded strings combined with user entered data and pass. The problem here is that there's always the possibility that the user entered data can contain SQL commands.

    If instead you use parameterised queries then the user entered data is only ever treated as data, never SQL commands, so basically it can contain whatever it likes and it wont be harmful.

  • Thanks guys. Very helpful.

  • URLScan is a great defense mechanism for web server attacks, but I have found that it is not flexible enough to defend against web application-level attacks like SQL Injection. The group I work with just released a free module for IIS (called SPF) that provides a flexible mechanism for blocking malicious requests. It provides coverage options for Query Strings, POST data and Cookies (where as URL Scan is limited to just Query Strings). It also supports use of regular expressions to define malicious input sequences.

    SPF for IIS is available for free and can be downloaded from our website: http://www.gdssecurity.com/l/b/category/tools/

    You can also find out more about it from the following Blog post: http://www.gdssecurity.com/l/b/2008/08/22/iis-secure-parameter-filter-spf-released/

Comments have been disabled for this content.