Mass SQL Injection Attacks

Recently, a Mass injection attack has started that is targeted at SQL Injection vulnerabilities within application code, with some of these attacks specifically targeted at ASP and .NET applications in particular. Some of these attacks are even fully automated and are being launched via botnets and other infected systems. The source of these attacks and the attack code being used changes so fast that it is impossible to block at the network level.

SQL Injection and Cross site scripting (XSS) attacks are nothing new. For several years now Computer Security professionals have been warning of massive attacks such as these disrupting normal business operations on the Public Internet. It looks as though this new wave of attacks and new method of infecting clients with malicious code has started.

The Security Team at MaximumASP has been watching this traffic very closely. A vast majority of these attacks have been originating from Chinese IP space or from compromised systems being controlled by Chinese attackers. Much of the data that is being injected into the databases contains links back to malicious Javascript code or links directly to Virus/Trojan code which is being hosted from other infected systems and from systems that reside in the Chinese web space.

The only way to protect your systems from attacks such as these is to correct the insecure application code that is allowing these database changes to be made. This means to validate all client side input to your applications for type, length, format and range. Client side input is defined as any piece of data that can be changed or modified by the client. This could be in the form of HTTP GET, HTTP POST, Javascript, cookies, VIEWSTATE or any other code that allows a client to input data to your web application.

Some of these recent attacks have even used Google search engines to find HTTP GET parameters that maybe vulnerable to an injection attack. After these GET parameters have been collected an automated system attempts to inject code into these parameters to determine if the application is possibly vulnerable attack. If the code is vulnerable links to malicious Javascript and virus code are injected into the database so the application’s clients become infected. This method of attack is extremely effective since your web server logs never see the attacking client until the attack takes place. Since they are using search engines such as Google to find your application’s parameters and code you never see any type of information-gathering scan taking place before the attack starts.

One way to protect yourself from the attacks described above is to use HTTP POST parameters for input instead of GET parameters. POST parameters are just as vulnerable to injection as GET parameters but the POST parameters will not be as easily found by things such as search engines or automated scans.

Microsoft provides a free security tool called URLScan that restricts the types of HTTP requests that Internet Information Services (IIS) will process. It can be installed on servers running IIS 4.0 or later. URLScan can be configured to block encoded URL’s, unwanted character sets, extremely long requests as well as many other useful features that can help protect your system from known and zero day (unknown) attack vectors. For more information or to download this Microsoft product please go to the following link: http://www.microsoft.com/technet/security/tools/urlscan.mspx

If you do not have access to your application’s source code, you can do some research and ensure the 3rd party application you are using does not have any known existing vulnerabilities. Many 3rd party applications such as phpBB have recently been attacked and exploited. Attackers are again using search engines such as Google to find servers with these vulnerable applications installed and then launching attacks to deface or inject malicious code.

For more information on protecting yourself from Injection vulnerabilities please see the following links: