How to protect yourself against the latest SQL Injection

Source: Internet
Author: User
How to protect yourself against the latest SQL Injection

Now it's time to rejoice and be positive. Following my different posts about the latest SQL injection attacks, I got all sort of comments.

Roughly half of the commenters saying I am a moron, why you don't go back to school and protect your databases, it's all your fault, don't blame our Microsoft!

The other half being more positive and more indulgent and trying to know more about the threat, even thanking me for breaking the news.

I feel myself closer to the latter crowd, because those are the guys who share the pain, and like to see some answers, rather than being just plain negative.

Yes I admit I was strong in the headline of my first post on the subject, but the message was towards Microsoft, to make them moving a bit. yes I am some time opinionated but it's always for the good cause. and I got the reaction I wanted from Microsoft, with different replies, all positive.

Now back to the problem of SQL injection. I think that the new threat posed by the trojan recently is that it used a flaw in Internet Explorer to be able to expose a cookie to a request stream and execute some SQL command. basically what the T-SQL do is reading the sysobjects table from the master table, and paste inormation in a temporary table, using this infoemation to get all the details about tables and text fields, then populating the tables randomly with some Javascript script.

Really nasty! Anyway the only way I was able to block it was to create a low level access user for my front end web application, and revoking execute rights for this particle user at the server level.

Not enough, you need also to remove the execute rights at the master table level. I tried to remove the full access to the master table for this user, but for some unknown reasons, ADO. net needs to have some access to this table, probably in the case like mine where I use executescalar.

Another approach wocould be to use a Windows user running on low level, but it didn't work for me, the connection was refused with this message:

Login Failed for user 'nt Authority \ anonymous logon '.If anyone knows more about that let me know?

So far it had workame for me and I encourage everyone to do the same. Now I wish that in the future, Microsoft release a version of SQL Server with all the dangerous things disabled by default.

After all, they did that with Windows Server 2008, and it has been an enormous relief to manage a server where you know that everything you don't need is locked down.

Finally even if I have some good knowledge of SQL Server, I wish they cocould make the security settings a tad more easier to manage and understand. I like the granualrity approach, but it's a little bit complicated for some basc stuff (try to understand the difference between Grant and with Grant !)

Update: As one reader points out you need to check or add some attributes in your config files, like forcing cookies to be in HTTPOnly mode.

Check Liam post for the details and more security locks.

 

Read more:

-Revoke command http://msdn.microsoft.com/en-us/library/ms187719 (SQL .90). aspx

-Protect from SQL Injection http://msdn.microsoft.com/en-us/library/ms998271.aspx

-Vulnerability in Internet Explorer cocould allow remote code execution by Roger halbheer

Http://blogs.technet.com/rhalbheer/archive/2008/12/13/vulnerability-in-internet-explorer-could-allow-remote-code-execution.aspx

 

Reprinted from: http://weblogs.asp.net/pleloup/archive/2008/12/20/how-to-protect-yourself-against-the-latest-sql-injection.aspx

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.