While perusing the application logs this morning I noticed a number of SQL Injection attempts. The site that was being attacked uses MVC with automatic Form values to object binding so the exceptions were being thrown early on in the controller when the framework was trying to bind the attack string to, for example, a boolean.
Here are some of the attack strings the system logged:
%20AND%201=1
%20AND%201=2
' AND '1'='1
' AND '1'='2
' AND 1=1/*
' AND 1=2/*
AND 1=1/*
AND 1=2/*
The source of the attack:
IP: 82.45.20.100
City: Bristol
State: England
Country: United Kingdom
ISP: Virgin Media Limited.
The attack bot wandered around the site and tried many different entry points as you'd expect. Some of the attack points on the site identified it as an attack through the pattern being requested and stopped processing .An initial inspection of the database shows no damage.
One of the tricky things about logging SQL Injection attacks is that if you're logging them to a database then your logging process might facilitate the attack when the initial attack failed. I have 2 suggestions for this this:
1. Ensure that any code you use to insert or update to the DB is appropriately parameterized and injection proof.
2. Become a SQL Injection expert and try and break your fortress with injection attempts.
I'm a little bit surprised that SQL Injection attempts are still going on. I would have thought that any site worth taking over would have dealt with this by now. It's been over a decade since this became a well known security problem.
You may be interested in (infuriated at?) this tool: http://sqlmap.org/
ReplyDeleteI just happened to have read this blog article and saw that site in the same hour. (Let's be honest: I'm obviously stalking you).
Cheers!