Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Auditing Matters


Auditing Matters

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36130 Visits: 18744
Comments posted to this topic are about the item Auditing Matters

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8352 Visits: 6156
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
thisisfutile
thisisfutile
SSC Veteran
SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)

Group: General Forum Members
Points: 203 Visits: 973
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8352 Visits: 6156
thisisfutile (2/24/2014)
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?


I believe that the embedded script tags is referring to the scripting equivalent of SQL Injection. It was a common hacking practice to add valid (but malicious) HTML into a comment on a forum, for example, and anyone who loaded up the page (along with all the comments) downloaded and, therefore, executed whatever HTML (and often JavaScript) that was embedded in the original, malicious comment. This method does not target the servers (like SQL Injection attacks) but peer clients.

I hope that I made it clear (and was right).

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
call.copse
call.copse
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2848 Visits: 1860
thisisfutile (2/24/2014)
From Steve's editorial:

look for potential hacking issues, like updating all of your lookup values to the same string, or embedding script tags in your data.


Can anyone elaborate on either of Steve's two suggestions? I don't understand what either of these ideas mean. I'm hoping that it's obvious after someone explains them but at this point I'm clueless. Any links perhaps?


I don't think it means anything beyond what it says - I have observed both these attacks (not at my workplace).

If you have a SQL Injection vulnerability then a way this may be exploited (in a minor, annoying way) is that the hackers change all strings in a lookup table (e.g. list of countries) to ''Leet haxors wuz here". They may also choose to update a string value to include script tags e.g. edit all product names to include something like <script>alert('Leet haxors wuz here');</script> - in that way when anyone visits the site (if it puts the product name on the page etc) the aforementioned alert appears.
thisisfutile
thisisfutile
SSC Veteran
SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)SSC Veteran (203 reputation)

Group: General Forum Members
Points: 203 Visits: 973
Thank you both, Gary Varga and call.copse for the explanations. I now understand. I think my confusion started because I thought Steve was suggesting some methods for finding exploits but instead it was basic exploits that he was pointing out.

I read it like this... "look for potential hacking issues, BY updating all of your lookup values to the same string, or embedding script tags in your data.

I knew it was something simple that I was making more complicated...I have a tendency to do that. :-P Where's my coffee cup?
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36130 Visits: 18744
I meant write code that looks for

count(lookup value) = count(*)

for a table. Also, look for items in your text fields like "<script language=js>"

We've seen both of these hacks here on the site over the years. There are some other patterns you can search for that can let you know you've had an attack.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
stephen.sarre
stephen.sarre
Valued Member
Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)

Group: General Forum Members
Points: 50 Visits: 297
Hi Steve

Sorry I still don't understand what you mean by

" write code that looks for count(lookup value) = count(*)"

Thanks
Steve
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36130 Visits: 18744
If I have

LookupID   LookupValue
====== =========
1 Red
2 Blue
3 Orange

and I run a count of values, grouped by the value, I'd get this.

count(lookupvalue)  count(*)
============ ======
1 (for Red) 3 (total)
1 (for Blue) 3 (total)
1 (for Orange) 3 (total)


The count(*) is the row count. I'd have to do grouping to get the count by specific values, and include those values. I didn't write all the code here.

If I've been hacked, my table could be:

LookupID   LookupValue
====== =========
1 Red
2 Red
3 Red


or

LookupID   LookupValue
====== =========
1 Red <script=js>http.redirect 'malicioussite.com</script>
2 Red <script=js>http.redirect 'malicioussite.com</script>
3 Red <script=js>http.redirect 'malicioussite.com</script>


and my counts would be

count(lookupvalue)  count(*)
============ ======
3 (for Red) 3 (total)


Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)SSC-Insane (21K reputation)

Group: General Forum Members
Points: 21075 Visits: 18259
Gary Varga (2/24/2014)
I found that reading a couple of books on hacking in general (i.e. hacking networks, systems, databases, applications, etc.) really helped open my eyes to a new way of thinking. It also highlighted things like rootkits to me (yes, it was a LONG time ago). Sometimes general technology reading can be worthwhile.


+10



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search