As a follow up to my post on preventing SQL Injection Attacks a couple of months ago I just found this little nugget, I Made a Difference[^], and it shows what can be achieved if you don’t secure against SQL Injection attacks – and with only 3 hours of effort. Obviously, if you have access to the source code you will be able to launch an attack much quicker.
Two weeks ago, I taught a Guerilla .NET course for DevelopMentor in Boston. Two or three days ago, a student who listened to me rant about SQL Injection attacks during the Code Access Security module lecture sent us (myself and the other two instructors) the following. It’s obviously been edited to protect the guilty:
“Hi, Ted. I want to thank you for the short primer on SQL injection attacks at the Guerrilla course in Woburn this month. We have a vendor who supplies us with electronic billing and payment services. (We send them billing data, and they present the bills to our customers and take the payments for us.) The week after the Guerrilla class I began to lose confidence in their application for various reasons, like seeing errors that included partial SQL statements, and in one case, a complete SQL statement that was accidentally left on a page from a debugging session. I told our company’s business manager that I was 80% confident that I could hack into their site using SQL injection. He called the vendor, who swore up and down that after spending $83,000 on firewalls that no one could ever hack into their site, and that we should go ahead and try.
“After three hours and a Google search on SQL injection, I was running successful queries from their login page and I had their server emailing us the query results via xp_sendmail. I was also able to confirm that the SQL Server login they use for their application has sa rights. I got a list of their clients, and was able to create tables in their databases.
“The vendor promised that by the next morning everything would be fixed. So the next morning at 8:00 am I tried again. I was no longer able to get results via xp_sendmail, but I was able to shutdown their SQL Server service by sending a shutdown command. I followed that up with a friendly call to their tech support line to let them know that they needed to restart SQL Server–I didn’t want to be too malicious. The guy at the other end of the line apparently had been there the entire night changing code and rolling out pages. He threatened to get on a plane, come to my office, and beat me up.”
“The disturbing thing about the incident is that there is enough data in the vendor’s database to allow someone to commit identity fraud or steal credit card and bank account numbers. And they are not a mom and pop shop either–their client list includes F—-, D—-, D—-, and V—-. [These are names that you would recognize, dear reader.] If I had been malicious I could have stolen data from any of those companies.”
Hunh. Three hours and a Google search was all it took. Anybody still think firewalls are the answer? “Security is a process, not a product.” — Bruce Schneier, Secrets and Lies.
NOTE: This was rescued from the Google Cache. The original date was Wednesday 17th November, 2004.