Re: SQL Injection and DB user permissions

We are being attacked these days, and someone/bot modifies the fields
-inserts javascript code-

Our site has tons of vulnerable spots, I think. I and a friend of mine couldn't
patch the ASP codes, completely...

After an attack, site slows down -at the client site, of course- due to load the
remote javascript file. People don't know what problem is and say "your site is too slow"
or "there is a virus" like things.

Then I've decided to clear the tables automatically and I did it. I monitor a field in a table
-say honeypot- if there will be a change I'll remove the changed string -usually a javascript code-

At the moment, I'm using that code. It can be used as standalone script when you notice an attack
or you may include as a part of any script -i.e. default.asp, with 10 minute intervals- It has silence mode
ability so there is no problem to include it anywhere...


If someone request I supply the code.



"Bob Barrows [MVP]" <reb01501@xxxxxxxxxxxxxxx>, iletisinde şunu yazdı, news:uyE5fAL%23IHA.6012@xxxxxxxxxxxxxxxxxxxxxxx
Randy wrote:
I have a .asp web application (using MSSLQ SRV).
I have actually taken it down after reading articles posted here and
elsewhere, since it contains quite a bit of 'dynamic sql' and I KNOW
that it' FULL of vulnerabilities to SQL Injection attach. I decided
not to wait around for this to happen and I'm working to 'harden' it.

So this is probably a stupid question and, no doubt, there is a
concept that I am not grasping.
But, since my site is purely informational, and, (by intention at
least) only allows the user to search and display the data, I would
THINK, that employing a database user in the connection string with
read-only permissions, would at least make it LESS susceptible to
this kind of attach.
Am I missing something here?

Nope. That is certainly a valid approach. The only potential problem
that would remain is if there is something to read in the database that
you don't want people to be able to read.

If users are not allowed to modify data, that certainly reduces your
potential for damage, and would definitely prevent the recent worm
attack from affecting your system.

Just be sure to explicitly grant SELECT permissions to only the database
object you want to have visible to users. Don't just put the user
account in db_datareader and think you're safe.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.



.

Relevant Pages

  • [Full-disclosure] WebCT 4.x Javascript Session Stealer Exploits
    ... WebCT 4.x Javascript Session Stealer Exploits ... Attack Type: ...
    (Full-Disclosure)
  • Re: HTML generation was: Re: A more verbose catch?
    ... scrubbing them first. ... people submit a form with javascript in ... it, you store it in the database, and future customers coming by ... IIRC, that's actually a cross-site scripting attack, with the attack ...
    (comp.lang.tcl)
  • Re: SQL Injection and DB user permissions
    ... patch the ASP codes, completely... ... After an attack, site slows down -at the client site, of course- due to ... remote javascript file. ... In between each successful SQL injection attack, ...
    (microsoft.public.inetserver.asp.db)
  • Re: Is there a new Bug/Virus?
    ... to a "virus" or any malware. ... boot File Allocation Table not correct and does not allow boot - ... then it is an attack or the hardware is f'ng up. ... Java but allow JavaScript so that is the only way. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Prototype - Good/Bad/Why?
    ... related to browser scripting. ... Attack the bad work, not the people. ... specifically aimed at you (though some of your trolling posts in this ... I want to know best-practices all the way down to JavaScript, ...
    (comp.lang.javascript)
Loading