OVERVIEW
Internet security is an increasingly important requirement of any application that resides on the Internet. Internet Software Sciences reviews potential security issues and responds to them accordingly. Back in 2003, a Web+Center user identified a potential security vulnerability in the Web+Center software that we carefully reviewed. As a result, we added an extensive set of routines to thwart this kind of attack and even immediately notify Web+Center administrators of such occurences.
The particular form of attack is loosely referred to as SQL injection and most database driven web-applications are vulnerable to it unless active measures are taken to protect against it.
Wikipedia defines SQL Injection as:
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
EXAMPLE
For example, let’s say you have a simple HTML web-based form that asks for your first name like:
If a user enters a form field value of “John”, the application may directly pass values to the database application and by creating and executing a SQL query to the database of the form:
SELECT * From Users where FirstName=’John’
Some database systems permit multiple SQL commands within a single SQL statement by separating them with semi-colons or double dashes. If a user enters a form field value of “John;DROP TABLE Users”, with the added semi-colon and the “DROP TABLE Users”, a form entry of:
Could create an database query of:
Select * from Users where FirstName=’John”;DROP TABLE Users
This will result in both SQL commands being executed – the second one of which destroys a whole table within the database.
Web+Center SQL-Injection checking and alert routines
Several SQL-Injection prevention and notification routines were developed to prevent SQL-injection form based abuses and to immediately notify administrators of potential threats. These routines provide useful diagnostic information to Web+Center administrators with customer, tech or IP tracing info to help track and analyze potential security events and the hacker. It can also help to identify attacks or user mistakes.
A special module called Valid_Data_Check.inc located in the language directory contains the routines that does extensive data validation for SQL-injection. This routine is called in many of the Web+Center form interfaces to prevent SQL-Injection abuses. Additional data verification routines could be added to this routine by you if needed.
If a potential SQL-injection violation is found, the processing of that form will immediately abort further accesses to the database and immediately email a special alert notification with the subject line of: Web+Center Caution – Possible security Violation attempt to the first administrator level technician registered in the database with an valid email address.
Our Web+Center support site servers that also use Web+Center for our external customer support have had a number of unsuccessful SQL-Injection attempts to attack our database and below is a real email that was recently automatically sent to our company security advisory member via our SQL-injection checking code. This attack was logged from an IP address of 213.6.192.103. This was eventually mapped back to a DSL provider in Palestine. The initial WHOIS inquiry using the Network Solutions WHOIS application returned the fact that this address was registered at the RIPE NCC (Network Control Center) in the Netherlands. A subsequent query to the RIPE whois facility (http://www.db.ripe.net/whois) identified actual internet provider of the perpetrator.
If you get emails with the Subject line of Web+Center Caution – Possible security Violation attempt, this email is auto-generated by Web+Center as a result of a user possibly attempting SQL-injection or it could be an accidential entry of some semi-colon or special SQL control characters in some form fields that Web+Center is programmed to scan for.
You can verify that your SQL-injection checking code is in place by attempting to log into the Tech+center or customer+center with a valid CSS-XXXX or customer Login ID and then enter password that contains a semi-color (;). You should be prompted with a web-page that says Invalid Data and requires you to go back and re-enter your information. Your administrator should get an alert email from Web+Center system.
SAMPLE Security Advisory Message sent from Web+Center
- From: “Customer Support/Help Desk”
- To: “UserX”
- Sent: Sunday, January 11, 2009 3:44 PM
- Subject: Web+Center Caution – Possible security violation attempt
- Caution – this email is an advisory alert that The Web+Center has detected an apparent attempt to compromise system security. A user has entered data into a Form field that might be innocent, but has suspicious characteristics. Relevant details of this action are as follows:
- Suspected Perpetrator = Unknown User Not Yet Logged In
- Date = 1/11/2009
- Time = 3:44:18 PM
- Field Name = Case Number
- Field Value = 549′) and 1=convert(int,(select top 1 table_name from information_schema.tables))–sp_password
- Error Code = 4
- ——————————-
- Cookie Id =
- Form Fields =
- Local Address = 168.143.174.18
- Path_Info = /ISSSupportCustomerV5/ViewCase.asp
- Query_String =
- Casenum=549%27)%20and%201=convert(int,(select%20top%201%20table_name%20from% 20information_schema.tables))–sp_password
- Remote_Address = 213.6.192.103
- Remote_Host = 213.6.192.103
- Script_Name = /ISSSupportCustomerV5/ViewCase.asp
- Server_Name = helpdesk.inet-sciences.com
- URL = /ISSSupportCustomerV5/ViewCase.asp
- ——————————–
- The meaning of the error code is as follows:
- Error Code = 1 – The string contains a semi-colon.
- Error Code = 2 – The string contains two or more apostrophes.
- Error Code = 4 – The string contains two adjacent hyphens.
- Error Code = 99 – The string resulted in a compromised read of the database.
- These error-codes are additive. Any other error-code value is the sum of two or more of the above codes.
Conclusions: Internet Software Sciences has carefully developed its code to create a stable and secure suite of web-based applications while offering flexible and customizable code options. The most important preventative step you can take as a web+center configurator for recovery from potential hackers is to BACKUP your Web+Center application directory (typically installed in c:\Program Files\Internet Software Sciences\Web+Center 6.0\) and any other folders that contain web+center files on a frequent basis and then (even more important) backup your database (either Access MDB file or your SQL*Server database) on a daily basis.
Then on a occasional basis, make sure that the backups you saved are in fact useable. Many people save backup copies regularly – only to find they are unusable (for any number of reasons) when the time comes.
From that application folder and the database backup, you can completely recover the complete environment necessary for you to resume operations in case of a loss, either through machine failure or malicious attack.