1. Rob Kraft – www.KraftSoftware.com
Defense in Depth
Web Server
Custom HTTP Handler
Input Validation
Sanitize Input
If the hacker discovers the server is vulnerable to SQL Injection, he can then use SQL Injection to attempt to exploit unsecured database features and data.
The request is processed by the code in the web page. The code could perform input validation such as analyzing the length of input in specific fields, or looking for suspicious characters.
Finally, any input persisted to a database should be “sanitized” by using parameters, stored procs, and replacing single quotes with two single quotes.
The hacker could attempt to obtain passwords or sensitive data like social security numbers and credit card numbers.
The request enters the web server (usually IIS or Apache). The request may be examined by a custom HTTP handler written to look for suspicious input.
A hacker can choose to bypass or forge almost any client side validation techniques, such as javascript code to validate data.
Hashing passwords, encrypting sensitive data and database permissions can protect data.
If a SQL Injection manages to bypass all attempts to prevent it, what the SQL Injector can accomplish is largely determined by the permissions provided by the database connection string.
Hackers may attempt to access other databases and features, but what they can do is limited by the connection string.
The hacker could attempt to run xp_cmdshell to gain access to the host OS.
The sheep represents the data sent from a computer to our web site.
The Net Appliance looks at a black list of suspicious characters, but this one passes the list.
Unnecessary features like xp_cmdshell should be disabled.
DB Conn String
Master database
Pwds and SSNs
Xp_cmdshell
September 22, 2011
Rob Kraft –