SQL Injection protection
-
over the past few days I have been looking much more closely at trying to prevent sql injection attacks. I write with ASP and now some .NET. In my old ASP pages I had a function that was included in all pages that changed any ' to '' and removed all ; and other very bad injection phrases.
Was wondering if there was any built in process in msSQL for commenting out such things or anything specific in .NET.
Seems to be to be such dire consequences if this security hole is left open but very little discussion of it generally.
Any advice gratefully received.
Rolf
-
One premier source of information on SQL security is http://www.sqlsecurity.com . It contains several further links to white paper on injection, password cracking....
In addition you should consider joining some general Windows security mailng lists like http://www.ntbugtraq.com or other, because these go hand in hand.
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
NGS Software have two very good papers on injection. Well worth a read.
http://www.nextgenss.com/papers.html
Steven
-
I don't have access to newsgroups at work, but does Microsoft still run its own security newsgroup?
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
Frank,
MS provide the newsgroups via HTTP as well as NNTP, hence you should be able to get to them.
http://www.microsoft.com/sql/community/newsgroups/default.asp
Steven
-
Yes, Steven, you're right. I remember, but prefer to forget. The browser interface is really a mess.
IMHO.
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
Finally found this again
http://xforce.iss.net/xforce/maillists/otherlists.php
Advantage is, they describe and offer subscription facilities to many of the important lists in one place
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url] -
This may not be be possible depending on what you are doing, but one approach is to make sure that all interaction with the database is done using stored procedures (no dynamic sql anywehere). Then make sure that the 'public' user (whatever the application or IIS server logs into SQL as) only has execute permission on the relevant s.ps. and no other permissions.
-
Stored Procedures is the way to go to prevent SQL Injection.
Parsing out 'dangerous' characters could achieve a relatively high level of security, but it does impact the possibilities for a user (e.g. entering a ';' in a string somewhere).
BTW, don't forget to turn off debug information in your .NET projects. This could give a malicious user a lot of info about your database. I think NGS has a white paper on this.
-
Stored procedures will help against SQL Injection, but it isn't the cure in and of itself. A savvy attacker could misuse stored procedures or execute queries against system tables where the public role does have SELECT rights to get more information about the system itself. Sometimes system reconnaissance is more valuable than the data.
Ultimately it comes back to an input validation issue on the application. Should the application not do the proper validation, there is little a SQL Server DBA can do to stop a SQL Injection attack. Sure, we can minimize it by ensuring the user connecting has absolutely minimal privileges (this should be done anyway according to the Principle of Least Privilege), but we can't stop the attack itself.
Another good source for more than just SQL Injection:
Another source from MSDN:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply