This article is translated from the Microsoft blog published in the relevant articles, the original English version of the original author of copyright, hereby declare.
Since the second half of last year, many sites have been compromised, and they have been injected with malicious HTML <script> tags in the text stored in the SQL database used to generate dynamic Web pages. Such attacks began to accelerate in the first quarter of 2008 and continue to affect vulnerable web applications.
These Web applications have something in common:
- Programs that use classic ASP code
- Programs that use SQL Server databases
Application code dynamically generates SQL queries based on URI request characters (http://consoto.com/widgets.asp
This represents a new approach to SQL injection (SQL injection) ( http://msdn.microsoft.com/en-us/library/ms161953.aspx）。 In the past, the goal of SQL injection attacks was a special Web application with the following characteristics: Attackers know or can detect vulnerabilities or structures in a background database. Such an attack (referring to the attack in this article) is different because it is abstract, and for an attack, any ASP page that exists in the dynamic creation of the SQL query using the URI request string may exist. You can in http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx Find out more about technical details and simple code.
Instead of exploiting vulnerabilities in Windows, IIS, SQL Server, or other underlying code, such an attack exploits vulnerabilities in code written by programmers that run on those platforms. Microsoft has conducted a thorough investigation of these attacks and has found that they have nothing to do with patches and 0-day vulnerabilities of previous Microsoft products. You can in
Get as much information as you like.
As noted above, these attacks have shown an increasing trend in recent years. This is at least related to two factors:
First, there are violent malicious attack tools that automate this type of operation. Sans in http://isc.sans.org/diary.html?storyid=4294This type of tool was discussed. The tool uses search engines to find sites with SQL injection vulnerabilities.
Second, one or more malicious zombies are carrying out SQL injection attacks to spread the zombies widely. SecureWorks in http://www.secureworks.com/research/threats/danmecasprox/A case was discussed.
Once a server is total for this vulnerability, it will be inserted into a malicious <script> tag that points to a. js file. Although the contents of these files are different, they try to exploit the vulnerabilities of Micfosoft products that have been repaired or the vulnerabilities of Third-party ActiveX controls. Because these scripts are stored separately, these scripts are easily updated to take advantage of the updated client vulnerabilities and are easier to customize according to different browsers.
advice to the information technology/database administrator
There are many things that an information technology administrator or a database administrator can take to reduce their risk and respond to the events that may occur in their code and platform:
- Check the IIS logs and datasheets to find the flags for unknown risks.
Because the exploit uses a URI to request a string, administrators can check the IIS log to find unusual requests that attempt to exploit the vulnerability. You can in http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx Find out more about how to manually change the operation. In http://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=WSUS&ReleaseId=13436There are tools for automating operations.
If the IIS log indicates that the server may have been violated, the next step is to audit the tables in the database used by the corresponding Web application and find the <script> tags attached to the text content.
Tip: IIS servers should not turn off logs in a production environment. Storage and proper administration are important for IIS logs, and the lack of IIS logs is very difficult to respond to security events.
- If you run Third-party code that uses a backend database, consider an independent software developer (isv,independent Software vendors) that is not affected by SQL injection.
In the case of using Third-party ASP Web programs, administrators should contact the application vendor to determine that their products are not affected by SQL injection attacks.
- Verify that the database account used by the Web application has minimal permissions.
Administrators should ensure that the SQL users used by the Web application have the least necessary permissions. Web applications should not be linked with server administrator privileges such as sysadmin or "db_owner" database permissions. White paper "Optimal security settings and maintenance in SQL Server 2005":
Provides a wide range of recommendations on SQL Server security.
suggestions for Web developers
There are a lot of good documentation on how to defend against SQL injection attacks when coding. Because these attackers leverage vulnerable Web application code, the only way to completely defend them is to parse the vulnerabilities that exist in the code. Any place in a program that uses external resources (typically from a URI request string) to dynamically generate SQL requests should be considered suspicious. When code vulnerabilities are identified, they should be carefully repaired.
- Description -sql Injection, asp.net and ado.net :
At the same time, the above article contains the article "How to avoid SQL injection in asp.net" http://msdn.microsoft.com/en-us/library/ms998271.aspx, this article applies to ASP as well.
Here's a very useful video (the video is for a defensive article, but the link may be invalid): Http://channel9.msdn.com/wiki/default.aspx/SecurityWiki.SQLInjectionLab。
- about SQL inject simple information on how to implement:
- ASP SQL injection in code (not the same as in asp.net):
How to execute SQL Server stored procedures in asp: http://support.microsoft.com/kb/q164485
- Microsoft The Security Department (the Microsoft Secure Development lifecycle,sdl) has some guidance on the defense of SQL injection. In simple terms, there are three strategies to respond to SQL injection attacks:
- Query using SQL parameters
- Using Stored Procedures
- Use SQL to execute only (execute-only) licenses
Michael Howard in http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspxTalk about these things.
At the same time, writing Secure Code (second edition) also guides how to defend against such attacks (please visit page 399-411).
- Reduce SQL injection: Use parameter queries (Parts I and II). The advantage of using a parameterized query is that it separates the executed code, such as the SELECT statement, and the data (the dynamic information provided by the program's users). This approach is defensive against malicious statements that are executed through user delivery.
The first part:
filtering SQL injection (or the character in the blacklist) in classic ASP code, we will consider the following work as a practical temporary solution because it is not a cure. (for example, the code is still vulnerable, and he can still be accessed by bypassing the filtering mechanism)
The Nazim in the IIS team explains the details of how to filter: http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx。
If you still don't know where to start, all the code that accesses the database using specific ASP code, especially the user-supplied data, should be detected first.
advice to end users
The end user (hereinafter referred to as the user-translator) should browse the http://www.microsoft.com/protect/default.mspxof information. In addition, here are some steps you can take to protect yourself.
- You should usually have a choice of access to your Web site-but you also need to understand that the vulnerability can also affect Web sites that users trust.
Selective access to the site reduces the risk of exposing you to a vulnerability, and of course even the ones you trust can be attacked. Take note of abnormal behavior, understand the risks you face, and implement the other recommendations provided in this section.
- Keep the security update for Microsoft and third party software.
Because malicious code typically exploits known vulnerabilities, you should make sure that you are running the latest security-updated Microsoft and Third-party software. Microsoft security updates are available through http://update.microsoft.comKnow. http://www.microsoft.com/protect/computer/updates/OS.aspxhave more information.
- Disable unwanted ActiveX controls and IE add-ons.
You should disable all ActiveX controls and IE add-ons that are not necessary. According to KB883256 ( http://support.microsoft.com/kb/883256method to implement this step in the Windows XP Service Pack2 or later version:
- Open ie.
- On the Tools menu, click Manage Add-ins.
- Click on the name of the add-in.
- Use the following methods:
- Click Update ActiveX to replace the control with the latest version. This method is not available for all add-ins.
- Click "Enable" and then click "OK" to enable the add-in.
- Click "Disable" and click "OK" to disable the add-in.
You may need to reboot IE to make sure that the plugin operation is enabled/disabled successfully.
For worse operating systems, according to KB154036 ( http://support.microsoft.com/kb/154036) are described in the operation.
- Reduce the risk of attack by Third-party browsers you use.
If you use a browser other than IE, you should make sure that you are installing the latest version of the security update, and that you should disable unnecessary extensions and add-ons. Popular browser information can be found in the following links:
- Update anti-Malware program software
Users should ensure that anti-virus and anti-spyware software are installed and that they are updated. You can in http://www.microsoft.com/protect/computer/antivirus/OS.aspxAnd http://www.microsoft.com/protect/computer/antispyware/OS.aspxFind more information. You can in http://onecare.live.com/standard/en-us/install/install.htmGet a 90-day Windows Live OneCare antivirus/antispyware software.