SQL Injection Defensive Techniques

AHMED FAWZY SECURITY & IT CONSULTANT RAYA CONTACT CENTER

How to defend against SQL injection

1. Use Microsoft Source Code Analyzer
2. Use Stored Procedure 3. Enforcement at the database level

4. Filter User Input

5. Use SQL Defender 6. Create User for read and user for write

Microsoft Source Code Analyzer

Options: /GlobalAsaPath=path Path to global.asa /IncludePaths=path;..; path Paths to include files /Output=file Generate warnings as XML in 'file' for the viewer /Append Append to the output file instead of overwriting it /NoLogo Do not display the tool logo /Quiet Do not display any parsing errors

Microsoft Source Code Analyzer

msscasi_asp.exe /input="c:\source\logon.asp"
msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml" msscasi_asp.exe /GlobalAsaPath="C:\source" /input="c:\source\display.asp" msscasi_asp.exe /input="c:\display.asp" /IncludePaths="C:\vd1;C:\vd2"

Microsoft Source Code Analyzer

msscasi_asp.exe /input="c:\source\file1.asp" /output=c:\output\warnings.xml /append msscasi_asp.exe /input="c:\source\file2.asp" /output=c:\output\warnings.xml /append msscasi_asp.exe /input="c:\source\file3.asp" /output=c:\output\warnings.xml /append

Use Stored Procedure

cmd.CommandType = CommandType.StoredProcedure; cmd.CommandText = "insertMSG"; cmd.Parameters.Add("@Namee", SqlDbType.VarChar, 50).Value = txtName.Text; cmd.Parameters.Add("@Email", SqlDbType.VarChar, 30).Value = txtEmail.Text; cmd.Parameters.Add("@Tel", SqlDbType.VarChar, 15).Value = txtTEL.Text; cmd.Parameters.Add("@Mobile", SqlDbType.VarChar, 15).Value = txtMobile.Text; cmd.Parameters.Add("@MSG", SqlDbType.VarChar, 500).Value = txtMSG.Text; cmd.Parameters.Add("@Datee ", SqlDbType.DateTime).Value = DateTime.Now; cmd.ExecuteNonQuery();

Create User for read and user for write

Use SQL Defender

Bool SQl Defender (string Data) { If Data.contain (select,drop,insert, update, delete, table, datebase, cmd, where, =) { return false; } Else { return true; } }

SQL Injection Attacks

9

SQL injection is a type of security exploit in which the attacker adds SQL code to a Web form input box to gain access to the database resources
For example, in a search page, the developer may execute a query (VBScript/ASP) using the code : Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

Detect SQL Injection Attacks

10

Look for SQL Injection attack incidents in these

locations:

IDS log files Database server log files Web server log files

The attack signature may look like: 12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah or 1=1 12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah or )1=1 (-12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah or exec master..xp_cmdshell 'net user test testpass --

Lab: Deep Log Analyzer

11

Deep Log Analyzer: is an advanced web analytics solution for small and medium size websites

Lab: Log Parser

12

LogParser is an excellent and free tool for analyzing log files

Lab: Acunetix
13