And also a very bad solution. Blacklists don't work. Whitelists and parameterized queries do. And this won't stop POST based attacks.
-- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon On Nov 20, 2009, at 9:24 AM, John Youngman wrote: > a very dirty quick possibly solution is to check the CGI.QUERY variable and > see if it contains specific SQL keywords that would not normally be in a > search. and either cfabort if it does and/or send yourself an email alerting > you of the possible attack. > > From: Dean H. Saxe > Sent: Friday, November 20, 2009 12:01 PM > To: [email protected] > Subject: Re: [ACFUG Discuss] SQL Injection > > Generally, the only thing they are looking for is personally identifiable > information (PII) such as names, addresses, social security numbers and, most > of all, credit card numbers. Without such information the attackers usually > either go away or they may use your site to serve up malware, such as with > the Gumblar worm last summer. > > -dhs > > -- > Dean H. Saxe > "A true conservationist is a person who knows that the world is not given by > his fathers, but borrowed from his children." -- John James Audubon > > > > > On Nov 20, 2009, at 7:02 AM, Jason Vanhoy wrote: > >> Another thing that one can potentially determine from examining the logs >> after such attempts is whether or not there's someone specifically >> interested in your data, or is it more likely they're looking for *any* data >> that's easy to access, and you just happened to come up in the list. >> >> >> >> On Fri, Nov 20, 2009 at 10:00 AM, Teddy R. Payne <[email protected]> >> wrote: >> What text was being used for the attack, when the attack occured, where did >> the attack come from, was the attack successful, is there another way they >> could exploit that part of the application, how localized or widespread is >> the attack, and what is the potential risk of all the above in the terms of >> revenue, developer time, private data, and public confidence. >> >> >> Teddy R. Payne, ACCFD >> Google Talk - [email protected] >> >> >> >> On Fri, Nov 20, 2009 at 9:56 AM, Rudi Shumpert <[email protected]> wrote: >> Doing most of that. >> >> Except for the analysis later part. Anything specific you look for in >> doing the analysis? >> >> >> On Fri, Nov 20, 2009 at 9:50 AM, Teddy R. Payne <[email protected]> >> wrote: >> You start off by trapping the error. Prevent the transaction. Record the >> error somewhere more persistent for review and analysis later. Display an >> error to the user that matches your site with a meaningful message. >> >> Creating error trapping that can specifically identify these types of >> attempts could also reduce your noise to sound ratio as well. >> >> >> Teddy R. Payne, ACCFD >> Google Talk - [email protected] >> >> >> >> >> On Fri, Nov 20, 2009 at 9:44 AM, Rudi Shumpert <[email protected]> wrote: >> the stuff I'm seeing is nothing really new, just was wondering if there are >> some best practices on what do to after to stop the attempt. >> >> -Rudi >> >> On Fri, Nov 20, 2009 at 9:27 AM, Mischa Uppelschoten >> <[email protected]> wrote: >> I probably missed something, but this article is almost a year and a half >> old... what specifically is attempted now? >> >> : Hey folks, >> >> : I saw Johns tweet earlier this week about a new wave of SQL Injection ( and >> >> : link to a great article on it >> : >> http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-again >> : st-sql-injection-and-xss), and sure enough Im seeing ahuge upswing in >> : attempts. Over 100 failed attempts last night alone. >> >> : >> : We have taken the steps to prevent damage / harm, but I was wondering what >> : folks are doing after they stop the attempt. What kind of message if >> any do >> : you provide ? Are people checking the logs, and blocking IPs of the >> worst >> : offenders? Or something else? >> : >> : -Rudi >> >> >> >> >> Mischa Uppelschoten >> VP of Technology >> The Banker's Exchange, LLC. >> 4200 Highlands Parkway SE >> Suite A >> Smyrna, GA 30082-5198 >> >> Phone: (404) 605-0100 ext. 10 >> Fax: (404) 355-7930 >> Web: www.BankersX.com >> Follow this link for Instant Web Chat: >> http://www.bankersx.com/Contact/chat.cfm?Queue=MUPPELSCHOTEN >> ----------------------- Original Message ----------------------- >> >> From: Rudi Shumpert <[email protected]> >> To: [email protected] >> Date: Fri, 20 Nov 2009 06:47:20 -0500 >> Subject: [ACFUG Discuss] SQL Injection >> >> Hey folks, >> >> I saw John's tweet earlier this week about a new wave of SQL Injection ( and >> link to a great article on it >> http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss), >> and sure enough I'm seeing a huge upswing in attempts. Over 100 failed >> attempts last night alone. >> >> We have taken the steps to prevent damage / harm, but I was wondering what >> folks are doing after they stop the attempt. What kind of message if any >> do you provide ? Are people checking the logs, and blocking IP's of the >> worst offenders? Or something else? >> >> -Rudi >> ------------------------------------------------------------- To unsubscribe >> from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform For more info, see >> http://www.acfug.org/mailinglists Archive @ >> http://www.mail-archive.com/discussion%40acfug.org/ List hosted by >> http://www.fusionlink.com >> ------------------------------------------------------------- >> >> >> >> >> > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > -------------------------------------------------------------
