11/19/2014

how to detect sql injection mistakes on your websites and databases and keep Rex Mundi away

It is illegal to do this against any other site in Belgium without approval of the victim and under control of the victim. Even as a white hacker because that doesn't exist - even if you are coming on tv :). The victim or his lawyers can come after you at any time and you won't know what hit you (or your parents like the hacker on VRT). 

this is for the programmers and the owners.

But this is just the beginning and not the finish. You really need to limit the online access to forms (put it behind a proxy on a server seperate from your contentserver), you need to limit the data behind the database (destroy old data and don't let people 'download whole datastacks, so only download from the user no big uploads to the user), encrypt it sufficiently (not md5 even if it is salted), place a vulnerability checker (to update all the different things that you are running) and put a patchpolicy in place, install a WAF firewall or policy (make it yourself easy, only accept normal commands and block all the rest) and activate an alarmprocedure to get a warning when an sql injection has some success and is downloading datastacks or too many attacks are happening (even if they don't succeed). Have a takedown procedure in hand so you can take down the site or only the datasets if this doesn't help. (attacks mostly happen with metasploit)

and let this test yearly by a penetration tester but with a clearly defined goal : get the information out of that datase whatever the way (while he is doing these tests someone from security and the network should sit next to him so that he has a contact if something can go wrong or to take immediate action if this is needed (finding a hardencoded password for example) 

LESS data is MORE security (and less costs and responsabilities and fines)  so if people want to add more data or combine data you should ask youirself if it is WORTH all that 

and the best way is to write in every contract that the code has to repond to OWASP 10 or OWASP 20 and that the programmers have to show the results of their tests certifying that they don't have those mistakes in their code (enfin your code) 

Testing for SQL Injection (OTG-INPVAL-005) - OWASP

How to Detect SQL Injection Attacks - The Hacker News

How do I check if my website has an SQL Injection?

Practical Identification of SQL Injection

sqlmap: automatic SQL injection and database takeover tool

Basic Tests for SQL-Injection Vulnerabilities 

Understanding SQL Injection - Cisco Systems

Automated SQL Injection Detection – Arne  (many good links) 

and so on 

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.