Skip to main content

Posts

Showing posts from May, 2008

Dissection of the ASP SQL Injection Outbreak

Several website owners this past week, including the United Nations and the UK Government, were left with a compromised database after being hit with the notorious SQL injection bug. This is a flaw in which a basic ASP webpage can run malicious script on a SQL server. The mass attack hit a number of website that were ASP driven and supported querystring paramters for database lookup. Webpages can allow for dynamic retrieval of information based upon querystring parameters; however if programmed in a basic manner, it might allow for a malicious script to be run. Here is a basic example of a page that is vulnerable: Page: BadCode.asp Dim myVar myVar = Request("input") ... objComm.CommandText = "Select * from myTable where ID=" & myVar objRS.Open objComm.Execute ... In the normal situation, this will query the database for the specified record. However if the value of input is passed in as a malicious script, it could be run by the SQL server and run amok! Le