SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Auditing Matters


Auditing Matters

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)

Group: Administrators
Points: 146037 Visits: 19425
Comments posted to this topic are about the item Auditing Matters

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Gary Varga
Gary Varga
One Orange Chip
One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)

Group: General Forum Members
Points: 27195 Visits: 6545
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
thisisfutile
thisisfutile
Say Hey Kid
Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)

Group: General Forum Members
Points: 709 Visits: 1005
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?
Gary Varga
Gary Varga
One Orange Chip
One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)

Group: General Forum Members
Points: 27195 Visits: 6545
thisisfutile (2/24/2014)
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?


I believe that the embedded script tags is referring to the scripting equivalent of SQL Injection. It was a common hacking practice to add valid (but malicious) HTML into a comment on a forum, for example, and anyone who loaded up the page (along with all the comments) downloaded and, therefore, executed whatever HTML (and often JavaScript) that was embedded in the original, malicious comment. This method does not target the servers (like SQL Injection attacks) but peer clients.

I hope that I made it clear (and was right).

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
call.copse
call.copse
SSCertifiable
SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)SSCertifiable (5.6K reputation)

Group: General Forum Members
Points: 5602 Visits: 2009
thisisfutile (2/24/2014)
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?


I don't think it means anything beyond what it says - I have observed both these attacks (not at my workplace).

If you have a SQL Injection vulnerability then a way this may be exploited (in a minor, annoying way) is that the hackers change all strings in a lookup table (e.g. list of countries) to ''Leet haxors wuz here". They may also choose to update a string value to include script tags e.g. edit all product names to include something like <script>alert('Leet haxors wuz here');</script> - in that way when anyone visits the site (if it puts the product name on the page etc) the aforementioned alert appears.
thisisfutile
thisisfutile
Say Hey Kid
Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)Say Hey Kid (709 reputation)

Group: General Forum Members
Points: 709 Visits: 1005
Thank you both, Gary Varga and call.copse for the explanations. I now understand. I think my confusion started because I thought Steve was suggesting some methods for finding exploits but instead it was basic exploits that he was pointing out.

I read it like this... "look for potential hacking issues, BY updating all of your lookup values to the same string, or embedding script tags in your data.

I knew it was something simple that I was making more complicated...I have a tendency to do that. :-P Where's my coffee cup?
Steve Jones
Steve Jones
SSC Guru
SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)

Group: Administrators
Points: 146037 Visits: 19425
I meant write code that looks for

count(lookup value) = count(*)

for a table. Also, look for items in your text fields like "<script language=js>"

We've seen both of these hacks here on the site over the years. There are some other patterns you can search for that can let you know you've had an attack.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
stephen.sarre
stephen.sarre
Valued Member
Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)

Group: General Forum Members
Points: 68 Visits: 297
Hi Steve

Sorry I still don't understand what you mean by

" write code that looks for count(lookup value) = count(*)"

Thanks
Steve
Steve Jones
Steve Jones
SSC Guru
SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)SSC Guru (146K reputation)

Group: Administrators
Points: 146037 Visits: 19425
If I have

LookupID   LookupValue
====== =========
1 Red
2 Blue
3 Orange

and I run a count of values, grouped by the value, I'd get this.

count(lookupvalue)  count(*)
============ ======
1 (for Red) 3 (total)
1 (for Blue) 3 (total)
1 (for Orange) 3 (total)


The count(*) is the row count. I'd have to do grouping to get the count by specific values, and include those values. I didn't write all the code here.

If I've been hacked, my table could be:

LookupID   LookupValue
====== =========
1 Red
2 Red
3 Red


or

LookupID   LookupValue
====== =========
1 Red <script=js>http.redirect 'malicioussite.com</script>
2 Red <script=js>http.redirect 'malicioussite.com</script>
3 Red <script=js>http.redirect 'malicioussite.com</script>


and my counts would be

count(lookupvalue)  count(*)
============ ======
3 (for Red) 3 (total)


Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (66K reputation)SSC Guru (66K reputation)SSC Guru (66K reputation)SSC Guru (66K reputation)SSC Guru (66K reputation)SSC Guru (66K reputation)SSC Guru (66K reputation)SSC Guru (66K reputation)

Group: General Forum Members
Points: 66451 Visits: 18570
Gary Varga (2/24/2014)
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.


+10



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search