SQL Injection Attacks and Data Thief

re: SQL Injection Attacks and Data Thief

Peter Blum — Thu, 06 Jan 2005 03:43:00 GMT

Last year, when Microsoft's ASP.NET Roadshow and DevDays visited Boston, the speakers enphasized SQL Injection and Cross-site scripting attacks. (We're talking about hours on the topic.) With such a large audience and a traveling event like these, I would have thought it inspired the masses.
As the author of Professional Validation And More, a replacement to the Microsoft validators, I thought I'd participate by building new Validator controls and tools that reflected the issues mentioned not only by Microsoft but by the same articles you point out.
While my "Visual Input Security" has been out since September, it has been met with very little interest, even after last month's 5 star 3 page review in aspNetPRO magazine from Don Kiely. Even from my large Professional Validation And More user base who are very enthusiastic of my work.
It tells me that people are ignoring the issue, hoping it will go away, and when they address it, they take the simplest solution, such as stripping out the single quote character. As I learned from reading those articles, there is so much more to input security. Users will protect their textboxes but not their cookies, querystring parameters and hidden fields. Any hole in the page will be tracked down by the hacker, who enjoys these challenges.
My own solution was to build a report that runs after the page is generated, showing all of the inputs used and the exact validation and neutralization applied to each. It gives each a rating for security with SQL and Script injection.
It doesn't matter whether people buy my software. It DOES matter that they are doing the right thing to protect themselves. So Michael, thanks for speaking up about this.

re: SQL Injection Attacks and Data Thief

Jon Galloway — Fri, 07 Jan 2005 06:53:00 GMT

SQL Injection isn't just about stealing data, either. Here's a story I heard about where a trigger was added to cause an outage in an order processing system: http://weblogs.asp.net/jgalloway/archive/2004/05/05/126958.aspx

Peter - I'm trying to sell you VIS package to my boss. Managers usually like to view this as "that danged single quote thing"; I'm lucky to have a boss who knows better.

SQL Injection Attacks and Data Thief

システム管理な雑記 -- Sleeve notes of a sysadmin -- Kenji Y — Wed, 26 Jan 2005 12:55:00 GMT

SQL Injection Attacks and Data Thief

re: SQL Injection Attacks and Data Thief

Mark Kent — Sat, 22 Mar 2008 20:26:05 GMT

Hi Mike,

I work as System Engineer in a major ISP company and we are hosting a large number of legacy ASP applications which contain SQL Injection flaws. I always suggest clients to solve the problem by hardening the source code, but 9 out 10 times they don't have the resources. I have been using this tool when clients agree:

http://www.codeplex.com/IIS6SQLInjection

So far it seems to be working and I have not had problems except that I cannot install in Windows 64 bit. Have you heard about this tool? Is there a way to make it work in 64 bit? The source code is there but I am not good in C++.

Thanks,

P.S.: I am not using my real name to avoid problem with my clients.

SQL Express 2005, conviene? - Pagina 2 | hilpers

SQL Express 2005, conviene? - Pagina 2 | hilpers — Fri, 23 Jan 2009 09:07:57 GMT

PingBack from http://www.hilpers.it/2532861-sql-express-2005-conviene/2