Help please - Block SQL injection?

Help please - Block SQL injection? (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing

Message

manning -> Help please - Block SQL injection? (2.Jul.2008 10:57:20 AM)
Our company website is now published behind the ISA 2006 server after many years of just sitting out in the wild on a lonely little server with nothing to protect it. Apparently I am not publishing it correctly through ISA though because over the last 3 or 4 days somebody has injected code into the SQL backend of the website twice. I've been plowing through the logs trying to find how they got in to no avail yet. So to the point, how do I block this code injection? It appends a script to the end of every line for our website which in turn seems to try and install something called Generic Downloader.z or at least that is what McAfee calls it when it alerts me that my site is infected. It is simple enough for me to just keep editing out the code, or restore over the tables, but that obviously doesn't fix anything really now does it. Please, any help is appreciated.

paulo.oliveira -> RE: Help please - Block SQL injection? (2.Jul.2008 1:19:11 PM)
Hi, maybe you can take a look at this articles to help you protect your database: A Secure SQL server Hacking a SQL Server Regards, Paulo Oliveira.

manning -> RE: Help please - Block SQL injection? (2.Jul.2008 4:38:43 PM)
Hi, Yes, I have a third party that is going to help sort out the SQL Server security part being as I am even more ignorant with SQL server than I am with ISA. I guess what I am asking, not very well, is whether there is a ISA element that I should consider in this regard or if it is all just SQL hardening? From what I have read so far, firewalls don't really help as much as I thought they would in protecting a website that uses an SQL backend.

dbellion -> RE: Help please - Block SQL injection? (6.Jul.2008 9:26:18 PM)
Hi Yes you can block sql injection strings. If you right click a published website, go to Configure HTTP - there's a lot you can do here to secure your web server. For SQL injection, use the Signatures tab. Add filters for Request URL and Request Body for common strings used in sql injection... eg: select%20 (the %20 represents a space in signature field so type "select ") delete%20 sp_ xp_ create table (type create table in signature field) drop table ;- \| ^ .. char( syscolumns -search the web for sql injection to learn more about it to compile a list of strings you would want to block. I also block other strings like "hkey", "c:", "d:", "regedit" etc... Hope that helps as a starting point, worth getting external penatration testing to make sure you're covered.

paulo.oliveira -> RE: Help please - Block SQL injection? (7.Jul.2008 7:33:55 AM)
Hi, thanks for the great tip! Now you can combine both for a hard level of security, block strings and hardening your database. [;)] Regards, Paulo Oliveira.

manning -> RE: Help please - Block SQL injection? (7.Jul.2008 9:32:46 AM)
Wow! Awesome information there. Thank you very much, that is a great starting point.

tshinder -> RE: Help please - Block SQL injection? (7.Jul.2008 9:56:31 AM)
Hi D, Great info! Thanks! Tom

manning -> RE: Help please - Block SQL injection? (11.Jul.2008 9:21:53 AM)
Hi, I took at look at my web publishing rule for the site in question and I can't find what you mention below: quote: ORIGINAL: dbellion If you right click a published website, go to Configure HTTP - there's a lot you can do here to secure your web server. For SQL injection, use the Signatures tab. I'm supposed to be looking at the rule, right? Not something in IIS on the web server? When I right click the web publishing rule for this site or any of my other sites I don't see anything in the popup menu about Configure HTTP, and when I select Properties I don't see anything under any of the tabs that takes me anywhere like what you describe. I'm lost. What am I missing? Do I need to create a Protocol definition and use that for this site instead of the default HTTP protocol? ISA 2006 Standard.

tshinder -> RE: Help please - Block SQL injection? (11.Jul.2008 12:07:14 PM)
If you don't see the Configure HTTP option on the Web Publishing Rule, then someone unbound the Web Proxy Filter from the HTTP protocol. Reenable that to get the option back and make the changes, then you can unbind it again later. HTH, Tom

manning -> RE: Help please - Block SQL injection? (11.Jul.2008 2:16:02 PM)
Ah, I see now. Thanks

manning -> RE: Help please - Block SQL injection? (22.Jul.2008 4:18:42 PM)
OK, slightly off tangent, but still regarding SQL injection vulnerabilities. Was the recent wave of SQL injection attacks so different from earlier ones that a well written website would still have been vulnerable? By that I mean, if a site had been written a year ago taking into consideration SQL injection security issues at the time, would that have helped prevent the recent varient of attacks?

Page: [1]