Friday, May 30, 2008

Microsoft: On SQL Injection Attacks

Via The Microsoft Security Vulnerability Research & Defense Blog.

Beginning late last year, a number of websites were defaced to include malicious HTML tags in text that was stored in a SQL database and used to generate dynamic web pages. These attacks began to accelerate in the first quarter of 2008 and are continuing to affect vulnerable web applications.

The web applications compromised share several commonalities:

  • Application uses classic ASP code
  • Application uses a SQL Server database
  • Application code generates dynamic SQL queries based on URI query strings (http://consoto.com/widgets.asp?widget=sprocket)

This represents a new approach to SQL injection. In the past, SQL injection attacks were targeted to specific web applications where the vulnerabilities and the structure of the underlying database were either known or discovered by the attacker. This attack differs because it has been abstracted such that it is possible to attack virtually any vulnerability that is present in an ASP page creating dynamic SQL queries from URI query strings.

This attack does not exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploits vulnerabilities in custom web applications running on this infrastructure. Microsoft has investigated these attacks thoroughly and determined that they are not related to any patched or 0-day vulnerabilities in Microsoft products.

I highly recommend this resource, since it also has recommendations for consumers to prevent these attacks from being successful on their web infrastructure.

More here.

0 Comments:

Post a Comment

<< Home