Hey folks,
I saw John's tweet earlier this week about a new wave of SQL Injection ( and
link to a great article on it
http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss),
and sure enough I'm seeing a huge upswing in attempts. Over 100 failed
Thanks for the suggestions Charlie and Teddy! I should have asked this here a
long time ago. :)
The Bespin project looks exciting! I also like the nocCode tool and will most
likely use that for now. Maybe I'll modify that to offer some code assist.
Thanks again!
Wes
From: ad...@acfug.org
the stuff I'm seeing is nothing really new, just was wondering if there are
some best practices on what do to after to stop the attempt.
-Rudi
On Fri, Nov 20, 2009 at 9:27 AM, Mischa Uppelschoten
mischa.uppelscho...@bankersx.com wrote:
I probably missed something, but this article is almost
You start off by trapping the error. Prevent the transaction. Record the
error somewhere more persistent for review and analysis later. Display an
error to the user that matches your site with a meaningful message.
Creating error trapping that can specifically identify these types of
attempts
What text was being used for the attack, when the attack occured, where did
the attack come from, was the attack successful, is there another way they
could exploit that part of the application, how localized or widespread is
the attack, and what is the potential risk of all the above in the terms
Another thing that one can potentially determine from examining the logs
after such attempts is whether or not there's someone specifically
interested in your data, or is it more likely they're looking for *any* data
that's easy to access, and you just happened to come up in the list.
On Fri,
Blocking IPs is useless, attackers will just use another proxy to change the
apparently location of the originating attack. You can't stop the attempts,
you must instead prevent the exploitation of vulnerable code. This means
writing secure code using data validation on all input, data
Generally, the only thing they are looking for is personally identifiable
information (PII) such as names, addresses, social security numbers and, most
of all, credit card numbers. Without such information the attackers usually
either go away or they may use your site to serve up malware, such
You can block subnets. On a couple of domestic sites, I have even blocked all
requests from ALL OF ASIA (or close). While I know this is a drastic
measure... all SQL Injection attack (and other hack attacks) attempts reduced
by 98% with that done.
Here is a link that describes how to do
a very dirty quick possibly solution is to check the CGI.QUERY variable and see
if it contains specific SQL keywords that would not normally be in a search.
and either cfabort if it does and/or send yourself an email alerting you of the
possible attack.
From: Dean H. Saxe
Sent: Friday,
Sending an email every time that you have some sort of attempt is a really
great way to turn a SQL Injection attack into a Denial of Service attack that
you are doing to yourself.
From: John Youngman j...@jg-technologies.net
To: discussion@acfug.org
Sent:
DITTO!!
_
Derrick Peavy
derr...@derrickpeavy.com
404-786-5036
“Innovation distinguishes between a leader and a follower.” -Steve Jobs
_
On Nov 20, 2009, at 12:16 PM, Wes Byrd wrote:
You can block subnets. On a couple of domestic sites, I have
Just fyi on this latest wave of sql injection and xss attacks. It's
nothing new, just some are seeing a new wave come across. Some are acsii
encoded strings and some are not. I did a tweet and pointed to an
earlier blog post on this topic. As always, I can only repeat again that
developers
Thanks for the help. I understand how to do that part, but how do I get the
packet from my server to their server is more my question and then read it?
That is the part I'm disconnecting on. I have all the code written except
for that step. I have already deserialized and converted into a query
Something like:
!---
I would perform a prevalidation of the file path being passed to ensure you
are getting a
valid string that is not being tampered with.
---
cffunction name=loadWDDXFile
access=public
output=false
returntype=query
Jeff,
My code snippet is as is as I wrote it ad hoc without testing it against a
live file and off of memory, but the general idea is there.
Teddy
Thanks, I'll work with it and see what I can get going. Thanks again.
On Fri, Nov 20, 2009 at 2:45 PM, Teddy R. Payne teddyrpa...@gmail.comwrote:
Jeff,
My code snippet is as is as I wrote it ad hoc without testing it against
a live file and off of memory, but the general idea is there.
Jeff,
As this is for the demo, you probably want to load all your data at
OnApplicationStart into either application scoped query variables or query
objects, to avoid reading your data more than once per application
instantiation. Put into the demo or installation instructions with the
caveats
Teddy,
Now that I'm actually working on what you sent, I notice that it is not too
different than what I was trying to do aready but I keep getting an error
thrown on the cffile function.
An error occurred when performing a file operation read on file
I think the issue with this may be the timing. I am trying to send them a
self-contained simple demo app and trying to keep from having to set up
datasources and/or sending them passwords to the db on my end. I thought it
would be easy using wddx but I have the one hiccup of getting them the
I think that is exactly what I am trying to do if I can just figure out the
wddx issue. I just can't seem to get the data to read into the application.
On Fri, Nov 20, 2009 at 2:57 PM, Teddy R. Payne teddyrpa...@gmail.comwrote:
Jeff,
As this is for the demo, you probably want to load all your
Jeff,
I just did a successful test. I think I know your issue. How are you
saving your file?
Are you using GetTempDirectory()?
Here is my quick and dirty test:
cfset foo = createObject(component, dataService) /
cfset qry = foo.dataSearch(lastname,smith) /
cfwddx action=cfml2wddx
Sorry Teddy, I missed this. I tried the getTempDirectory thing as well and
it was throwing the same error. The issue was definitely my cffile tag and
not the data. I had the wrong drive in my cffile tag and once I corrected
that it worked. I could not get it ot work with using the
Not a problem and glad that you re-mediated the issue and were able to move
forward. =)
Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com
On Fri, Nov 20, 2009 at 4:09 PM, Jeff Howard jeh...@gmail.com wrote:
Sorry Teddy, I missed this. I tried the getTempDirectory thing as well and
Yeah sure, you CAN, but its not the solution to the problem. On a recent
incident response we had attacks originating from asia, south america and
europe. Do you plan on blocking them all?
-dhs
--
Dean H. Saxe
A true conservationist is a person who knows that the world is not given by
his
And also a very bad solution. Blacklists don't work. Whitelists and
parameterized queries do. And this won't stop POST based attacks.
--
Dean H. Saxe
A true conservationist is a person who knows that the world is not given by
his fathers, but borrowed from his children. -- John James
26 matches
Mail list logo