• Colocation
• Client Login
• cPanel
• Data Backups
• Database
• Domain Names
• Email
• Email Marketing Manager
• FTP
• Merchant Support
• Network and Connectivity
• Site Building
• FrontPage
• Search Engine Help
• Default Settings
• Redirect
• Custom Errors
• Password Protected Directories
• Multi-Media
• Adhost Scripts
• Dynamic
• Website Security
• SQL Injection Protection
• Web Forms Protection
• Statistics
• Secure Certificate
• FAQs

Support - Protecting your code from SQL Injection

In a past newsletter we wrote about the increasing trend in SQL Injection attacks against web sites. When successful, these attacks can result in malicious visitors to your site being able to read data from the site’s database that should not be accessed. Or even worse, an attack can allow the visitor to write data to your database that should not be written.

If hackers are able to read your database, they may try to use personal customer data and/or credit card numbers for identity theft. Another increasingly popular trend is to write data to the database (e.g. writing data to your product table of your ecommerce application). Hackers will try to insert malicious URLs into your database that would then be displayed on your web site when a visitor views your site. Your site visitor now clicks on a corrupted link on your site and gets directed to the malicious URL that then tries to exploit your visitor’s machine by targeting an un-patched vulnerability. In this example, your site is merely a vehicle to enable the hacker to infect other machines.

At this point we could get very technical and describe all of the code that is involved with performing an actual SQL injection attack. Further, we could describe the various fixes that need to be in the web site code to prevent these attacks. But others have already written numerous articles. If you want to jump ahead here are a few links to get more technical:

http://en.wikipedia.org/wiki/SQL_injection
http://www.youtube.com/watch?v=MJNJjh4jORY
http://www.unixwiz.net/techtips/sql-injection.html

Instead of getting overly technical we are going to focus on how you can determine if your site is vulnerable to this type of attack and what you can do about it.

The first step is to determine if you use any type of database for your web site. This could be a local Microsoft Access database on the web server itself or a larger MS SQL or MySQL database on a backend database server. By default these databases are typically read/write enabled and will process any SQL code passed to them from your web site.

The second step is to determine if your code on the web site is vulnerable to a SQL injection attack. You could manually try to inject SQL code into your site, but let’s make it easy and use a scanning tool to create a report for you. We’ve used Paros, a security tool for web application vulnerability assessment. The install is straight forward and requires Java to be installed on your machine. Then you configure your MS Internet Explorer browser to use Paros as a proxy to visit the site. It then scans the site and produces a report of vulnerable pages and forms on your site. I know I promised to stay non-technical but could not resist.

At this point you will be feeling uneasy if your site contains lots of vulnerable code and fixing the problem may seem daunting. Even if you determine that the data in your database is ok to display to anyone, there is still the problem of having your data overwritten with malicious data that could be displayed on your web site. The good news is that you’ve read this far and will be doing something about this problem. Adhost can help.

The fix for this problem is to ensure your code is written to filter user input properly such as common escape characters used in SQL statements. Further steps can be taken such as restrictive permissions within the database and custom error messages displayed from the site when an error does occur (that could disclose sensitive information in the error message), thereby not disclosing any valuable information to the hacker.

So what should you do? First contact whomever developed your web site and have them read this article. Then show them your results of your vulnerability assessment.

Most importantly you should contact the Support department at Adhost because your web site is running on our servers and we care about your security and are here to help. We’ll speak with you, view your documentation and determine the best way to fix your vulnerabilities. You can contact us by sending an email to support@adhost.com with any and all information you have available to help us assess your problem. Include your domain name, URLs that you feel are vulnerable and the best people to contact about this. If you are not able to determine if you are vulnerable to SQL injection, please contact us anyway. This way we can ensure that your site is as secure as possible.