November 2, 2016 at 1:54 pm
We have just encountered what appears to be suspect data in a lot of our SQL databases that house backend data for internal and external websites. For the tables affected, all of the fields defined as varchar(max) have the following code appended to data.
<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>
Anyone encountered this?
November 2, 2016 at 1:58 pm
rjaye03 (11/2/2016)
We have just encountered what appears to be suspect data in a lot of our SQL databases that house backend data for internal and external websites. For the tables affected, all of the fields defined as varchar(max) have the following code appended to data.<div style="display:none">wer54w66sf32re2</div><div style="display:none">wer54w66sf32re2</div>
Anyone encountered this?
SQL Server did not put that there by itself. Something, somewhere, has written it.
If you haven't even tried to resolve your issue, please don't expect the hard-working volunteers here to waste their time providing links to answers which you could easily have found yourself.
November 2, 2016 at 4:07 pm
If the database is passing a consistency check, then it's something in your apps that's doing that. It could be a trigger though. I'd check that too.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
November 2, 2016 at 4:18 pm
Some of these databases don't even have apps using or accessing them. One database I just created a couple of days ago with one table and I manually keyed test data into it. We suspected a SQL injection, but not all databases are used. It's just concerning that "something" outside the scope of an app is randomly adding text to our character fields. And when it happens, it happens to all rows in table. I searched Google and Bing for this string of data and a LOT of sites came up. It doesn't appear to affect the apps that do use these tables, but quite alarming all the same. We only found it because we passed data to Google API that could not accept any embedded html.
Thanks for the reply
November 2, 2016 at 5:38 pm
Gut feel - SQL Injection vulnerability somewhere. It is a concern, because if your site is known (to malicious apps/users) to be vulnerable, they can do more fun things than just add html. Like extract all the data, or embed malware.
Try setting up an extended events session to capture where the data is coming from.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 3, 2016 at 7:44 am
I'm inclined to agree with Gail's gut instinct - SQL injection. If you don't have any apps accessing the database, take a look at the database permissions and see if that gets you anywhere. You need to find out what/who is embedding HTML and how they're doing it. If you don't, this will happen...or has already happened:
GilaMonster (11/2/2016)
Like extract all the data, or embed malware.
November 3, 2016 at 8:40 am
Rather than SQL Injection (embedding SQL into the URL), it appears that a user is simply pasting javascript fragments into a text field, so it gets saved to your varchar column when the web application form is submitted. What this will do is cause the script to be rendered when the form data is subsequently viewed by other users. Preventing this from happening is a basic website design consideration, so let the application developer know. Meanwhile, from the database side, to confirm who and what is doing this, you can implement an audit trace.
Also, to double dog prevent this happening ever again, you can implement check constraints on varchar columns that get inserted from free-form user input. The example below will block any operation that attempts to insert or update a value containing an HTML tag. It will also raise an error for which you can trap programmatically or using an event trace.
create table MyTable
(
col1 varchar(120) not null
constraint MyTable_Col1_SuspectedSQLInjection
check ( col1 not like '%<%>%</%>%' )
);
insert into MyTable ( col1 )
values ('<div style="display:none">wer54w66sf32re2</div>
<div style="display:none">wer54w66sf32re2</div>');
Msg 547, Level 16, State 0, Line 11
The INSERT statement conflicted with the CHECK constraint
"MyTable_Col1_SuspectedSQLInjection". The conflict occurred
in database "MyDB", table "dbo.MyTable
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
November 3, 2016 at 12:29 pm
Eric M Russell (11/3/2016)
Rather than SQL Injection (embedding SQL into the URL), it appears that a user is simply pasting javascript fragments into a text field, so it gets saved to your varchar column when the web application form is submitted. What this will do is cause the script to be rendered when the form data is subsequently viewed by other users. Preventing this from happening is a basic website design consideration, so let the application developer know. Meanwhile, from the database side, to confirm who and what is doing this, you can implement an audit trace.Also, to double dog prevent this happening ever again, you can implement check constraints on varchar columns that get inserted from free-form user input. The example below will block any operation that attempts to insert or update a value containing an HTML tag. It will also raise an error for which you can trap programmatically or using an event trace.
create table MyTable
(
col1 varchar(120) not null
constraint MyTable_Col1_SuspectedSQLInjection
check ( col1 not like '%<%>%</%>%' )
);
insert into MyTable ( col1 )
values ('<div style="display:none">wer54w66sf32re2</div>
<div style="display:none">wer54w66sf32re2</div>');
Msg 547, Level 16, State 0, Line 11
The INSERT statement conflicted with the CHECK constraint
"MyTable_Col1_SuspectedSQLInjection". The conflict occurred
in database "MyDB", table "dbo.MyTable
Those are HTML tags, although Javascript would (in theory) work as well. I like your design idea.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply