SQL Injection Attacks by Example
If you use SQL Server as a backend for you applications then have you protected against injection attacks?
January 5, 2005
If you use SQL Server as a backend for you applications then have you protected against injection attacks? Such attacks can inject code into SQL statements that might lead to the inadvertant exposure of sensitive information, or in a worst case scenario might lead to a total system and/or network compromise.
Steve Friedl recently released a whitepaper, "SQL Injection Attacks by Example," which discusses the steps he took during a recent security audit to penetrate a customer's system. The paper describes how he discovered what services and technologies were used, how he discovered table names and table field names, and how he coaxed the system into changing an email address in a table to recover a valid login account name and password.
The paper also discusses some ways to mitigate such attacks. However, if you're interested then you should read the related message thread on the Bugtraq mailing list to see what other people had to say about Friedl's mitigation suggestions before you rely on them as definitive defensive measures.
As we reported yesterday in the story, "Microsoft WINS and SQL Server Targeted," brute force password cracking attempts have recently been detected against Microsoft SQL Server. While such cracking attempts are one way to find SQL Server login passwords, injection attacks are another method that could be launched by anyone from anywhere in the world if your database servers are exposed to the Internet as backends for Web-based applications. So consider auditing the security of your SQL-based applications and the related systems' overall network exposure to make sure you have your bases covered adequately.
About the Author
You May Also Like