February 22, 2014 at 11:29 am
Comments posted to this topic are about the item Auditing Matters
February 24, 2014 at 3:15 am
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 24, 2014 at 7:15 am
From Steve's editorial:
look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.
Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?
February 24, 2014 at 7:31 am
thisisfutile (2/24/2014)
From Steve's editorial:look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.
Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?
I believe that the embedded script tags is referring to the scripting equivalent of SQL Injection. It was a common hacking practice to add valid (but malicious) HTML into a comment on a forum, for example, and anyone who loaded up the page (along with all the comments) downloaded and, therefore, executed whatever HTML (and often JavaScript) that was embedded in the original, malicious comment. This method does not target the servers (like SQL Injection attacks) but peer clients.
I hope that I made it clear (and was right).
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 24, 2014 at 7:37 am
thisisfutile (2/24/2014)
From Steve's editorial:look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.
Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?
I don't think it means anything beyond what it says - I have observed both these attacks (not at my workplace).
If you have a SQL Injection vulnerability then a way this may be exploited (in a minor, annoying way) is that the hackers change all strings in a lookup table (e.g. list of countries) to ''Leet haxors wuz here". They may also choose to update a string value to include script tags e.g. edit all product names to include something like <script>alert('Leet haxors wuz here');</script> - in that way when anyone visits the site (if it puts the product name on the page etc) the aforementioned alert appears.
February 24, 2014 at 7:54 am
Thank you both, Gary Varga and call.copse for the explanations. I now understand. I think my confusion started because I thought Steve was suggesting some methods for finding exploits but instead it was basic exploits that he was pointing out.
I read it like this... "look for potential hacking issues, BY updating all of your lookup values to the same string, or embedding script tags in your data.
I knew it was something simple that I was making more complicated...I have a tendency to do that. 😛 Where's my coffee cup?
February 24, 2014 at 9:12 am
I meant write code that looks for
count(lookup value) = count(*)
for a table. Also, look for items in your text fields like "<script language=js>"
We've seen both of these hacks here on the site over the years. There are some other patterns you can search for that can let you know you've had an attack.
February 24, 2014 at 9:52 am
Hi Steve
Sorry I still don't understand what you mean by
" write code that looks for count(lookup value) = count(*)"
Thanks
Steve
February 24, 2014 at 10:00 am
If I have
LookupID LookupValue
====== =========
1 Red
2 Blue
3 Orange
and I run a count of values, grouped by the value, I'd get this.
count(lookupvalue) count(*)
============ ======
1 (for Red) 3 (total)
1 (for Blue) 3 (total)
1 (for Orange) 3 (total)
The count(*) is the row count. I'd have to do grouping to get the count by specific values, and include those values. I didn't write all the code here.
If I've been hacked, my table could be:
LookupID LookupValue
====== =========
1 Red
2 Red
3 Red
or
LookupID LookupValue
====== =========
1 Red <script=js>http.redirect 'malicioussite.com</script>
2 Red <script=js>http.redirect 'malicioussite.com</script>
3 Red <script=js>http.redirect 'malicioussite.com</script>
and my counts would be
count(lookupvalue) count(*)
============ ======
3 (for Red) 3 (total)
February 24, 2014 at 10:28 am
Gary Varga (2/24/2014)
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.
+10
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply