Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you check your URL for SQL Injection Attacks?

Tags:

sql

sql-server

I've seen a few attempted SQL injection attacks on one of my web sites. It comes in the form of a query string that includes the "cast" keyword and a bunch of hex characters which when "decoded" are an injection of banner adverts into the DB.

My solution is to scan the full URL (and params) and search for the presence of "cast(0x" and if it's there to redirect to a static page.

How do you check your URL's for SQL Injection attacks?

like image 246
Guy Avatar asked Sep 03 '08 19:09

Guy


People also ask

How SQL injection attacks are detected?

Detection methods range from checking server logs to monitoring database errors. Most network intrusion detection systems (IDS) and network perimeter firewalls are not configured to review HTTP traffic for malicious SQL fragments, making it possible for an attacker to bypass network security boundaries.

Where can I find SQL injection?

The most common other locations where SQL injection arises are: In UPDATE statements, within the updated values or the WHERE clause. In INSERT statements, within the inserted values. In SELECT statements, within the table or column name.

What is URL injection?

URL Injection occurs when a hacker has created/injected new pages on an existing website. These pages often contain code that redirects users to other sites or involves the business in attacks against other sites. These injections can be made through software vulnerabilities, unsecured directories, or plug-ins.

What is HTTP URI SQL injection?

This indicates an attempt to exploit a SQL-injection vulnerability through HTTP requests. The vulnerability is a result of the application's failure to check user supplied input before using it in an SQL query. As a result, a remote attacker can send a crafted query to execute SQL commands on a vulnerable server.


1 Answers

I don't.

Instead, I use parametrized SQL Queries and rely on the database to clean my input.

I know, this is a novel concept to PHP developers and MySQL users, but people using real databases have been doing it this way for years.

For Example (Using C#)

// Bad!
SqlCommand foo = new SqlCommand("SELECT FOO FROM BAR WHERE LOL='" + Request.QueryString["LOL"] + "'");

//Good! Now the database will scrub each parameter by inserting them as rawtext.
SqlCommand foo = new SqlCommany("SELECT FOO FROM BAR WHERE LOL = @LOL");
foo.Parameters.AddWithValue("@LOL",Request.QueryString["LOL"]);
like image 112
FlySwat Avatar answered Nov 02 '22 08:11

FlySwat