While the default apps on a SBS 2003 (and upcoming SBS 2008) go through a SDL process so that I’m not concerned about SQL injection possibilities on my SBS box (nor do I have SharePoint exposed anyway) when you have third party and home grown apps, you really don’t know of what the coder did.
Review these and forward them on to your local dev guy to make sure they are aware of the problem.
Microsoft has recently published a series of best practices to help developers build SQL code that is not susceptible to SQL injection attacks.
SQL injection attacks occur in applications that are poorly programmed. They are not a result of failures in the data base or supporting products. When applications do not properly filter and control input data, there is a chance inputs can be manipulated, so that dangerous redirecting scripts may end up on the website
Once a web site is infected, the newly embedded script will then direct users to another dangerous website, that can automatically download malware on the user’s PC. While these attacks have been around for years, malware authors are now using newly automated approaches to find susceptible servers automatically and infect thousands of websites in a single day.
IT developers have an inherent responsibility to protect the privacy and integrity of customer information. These articles are “must reads” for any IT developer, for greater assurances in building secure applications.
Microsoft Best Practices for preventing SQL Injection Attacks
Microsoft Security Vulnerability Research & Defense Blog – SQL Injection Attack
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
Nazim’s IIS Security Blog – Filtering SQL injection from Classic ASP
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
Neil Carpenter’s Blog – SQL Injection Mitigation: Using Parameterized Queries
http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx
http://blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx
Michael Howard’s Blog -Giving SQL Injection the Respect it Deserves
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx
MSDN Article – Preventing SQL Injections in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx
Anti-Malware Engineering Team – When SQL Injections Go Awry, Incident Case Study
http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx
A more general overview of SQL Injection attacks can also be here:
What are SQL Injection Attacks?
http://en.wikipedia.org/wiki/Sql_injection
what…whats this….another harry?
🙂
A lot of the Microsoft best practices really are sound. But if you want to go ahead and use a brute force tool to see if your system is easily hack-able, I hear good things about sqlninja. In the end, though, it usually boils down to not concatenating SQL statements and also proper escaping of input fields.
**************
Nico del Castillo
Microsoft Security Outreach Team
http://www.microsoft.com/hellosecureworld7