Tuesday, July 22, 2008

Fighting / finding SQL injection attacks

There's a first of everything.

One of my client's websites has been successfully hacked. An SQL injection using ASCII-encoded binary string containing SQL statements. I think we were lucky as the script added a reference to a javascript file that is to be loaded. Lucky (?) for us, having these additional markup elements appended to various text columns ended-up completely breaking site's design and after some investigation it became obvious that there was something going on.

A useful tool that helped me identify where the problem was (actually, 2 problems, but one got exploited!) is Scrawlr, helping pin-point a piece of code that was vulnerable. Wish I new about this tool before. Got it via (of all things) this article on SQL Injection on Wikipedia.

And the obvious advice: do pay attention and try to use SQL params in your SQL queries rather then just dump stuff directly from your URL / form parameters. Might save a few hours.

Helps to have IIS/Apache logs available.