Friday, May 18, 2012

SQL Injection Attack from 82.45.20.100

SQL Injection Attack from 82.45.20.100:
While perusing the application logs this morning I noticed a number of SQL Injection attempts. The site that was being attacked uses MVC with automatic Form values to object binding so the exceptions were being thrown early on in the controller when the framework was trying to bind the attack string to, for example, a boolean.
Here are some of the attack strings the system logged:

%20AND%201=1

%20AND%201=2

' AND '1'='1

' AND '1'='2

' AND 1=1/*

' AND 1=2/*

AND 1=1/*

AND 1=2/*
The source of the attack:
IP: 82.45.20.100

City: Bristol

State: England

Country: United Kingdom

ISP: Virgin Media Limited.
The attack bot wandered around the site and tried many different entry points as you'd expect. Some of the attack points on the site identified it as an attack through the pattern being requested and stopped processing .An initial inspection of the database shows no damage.
One of the tricky things about logging SQL Injection attacks is that if you're logging them to a database then your logging process might facilitate the attack when the initial attack failed. I have 2 suggestions for this this:
1. Ensure that any code you use to insert or update to the DB is appropriately parameterized and injection proof.
2. Become a SQL Injection expert and try and break your fortress with injection attempts.
I'm a little bit surprised that SQL Injection attempts are still going on. I would have thought that any site worth taking over would have dealt with this by now. It's been over a decade since this became a well known security problem.

No comments:

Post a Comment

Could not find a part of the path ... bin\roslyn\csc.exe

I am trying to run an ASP.NET MVC (model-view-controller) project retrieved from TFS (Team Foundation Server) source control. I have added a...