Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

January 06, 2005 12:00 AM

SQL Injection Attacks by Example

Windows IT Pro
InstantDoc ID #45023
Rating: (5)
If you use SQL Server as a backend for you applications then have you protected against injection attacks? Such attacks can inject code into SQL statements that might lead to the inadvertant exposure of sensitive information, or in a worst case scenario might lead to a total system and/or network compromise.

Steve Friedl recently released a whitepaper, "SQL Injection Attacks by Example," which discusses the steps he took during a recent security audit to penetrate a customer's system. The paper describes how he discovered what services and technologies were used, how he discovered table names and table field names, and how he coaxed the system into changing an email address in a table to recover a valid login account name and password.

The paper also discusses some ways to mitigate such attacks. However, if you're interested then you should read the related message thread on the Bugtraq mailing list to see what other people had to say about Friedl's mitigation suggestions before you rely on them as definitive defensive measures.

As we reported yesterday in the story, "Microsoft WINS and SQL Server Targeted," brute force password cracking attempts have recently been detected against Microsoft SQL Server. While such cracking attempts are one way to find SQL Server login passwords, injection attacks are another method that could be launched by anyone from anywhere in the world if your database servers are exposed to the Internet as backends for Web-based applications. So consider auditing the security of your SQL-based applications and the related systems' overall network exposure to make sure you have your bases covered adequately.

Related Content:

ARTICLE TOOLS

Comments
  • sujan
    4 months ago
    Oct 25, 2011

    sql injection step by step practicle guide
    www.readyproject.in/sqlInjection/

  • Anonymous User
    7 years ago
    Jan 19, 2005

    -->Don't use SQL Server or any other MS product for that matter

    real developers choose the best tool for the job while wanna be developers choose 'my database' or 'my language'.

  • Anonymous User
    7 years ago
    Jan 17, 2005

    sql was always blessed with good looks, oracle needs a makeover, send forth the Fab 5 ;-)

  • Anonymous User
    7 years ago
    Jan 13, 2005

    well done genius - this applies to all SQL servers, nothing to do with MS specific

  • Anonymous User
    7 years ago
    Jan 13, 2005

    You mean use Oracle, which also admits it is liable for these attacks?

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.