- Infected sites are ASP.NET sites with SQL Server backends.
- A script link is injected into columns that build the page html.
- The injected link will call yet more Script code from a third party site.
The injected script code looks as follows:
Databases at risk
The reason this attack is so successful is because it automatically finds vulnerable ASP.NET websites with SQL Server backend databases that can be exploited with a simple SQL Injection attack. Some of these sites might have been scoped out in LizaMoon and previous attacks.
Data stored in the database can be compromised not only by the people behind “James Northone” but also by any copycat attackers that run a simple Google query to find the vulnerable websites. Once compromised, the attackers can potentially access any data on the database backing the website, especially if there is no proper separation of duties. For example, on a shopping website, customer data such as email addresses and credit card numbers might be at risk.
How can I ensure that my organization is protected?
There is no easy workaround for the database component of this threat besides fixing the SQLi vulnerabilities on the site and employing the best practices mentioned below. However, employing a database activity monitoring solution will help to address this issue.
This and most other SQL Injection attacks are a case study in poor coding and database configuration practices. When web applications are written correctly and their backend databases are managed against vulnerabilities, SQL injections are proactively prevented. I recommend that organizations take the following steps to protect their site visitors, web applications and database assets:
1. First and foremost, web applications should be reviewed to insure proper input validation on web forms and URL parameters. Database queries to the backend database, especially SELECT, INSERT and UPDATE queries should never be created by simply concatenating a SQL query string with input from web form fields. The input should be sanitized and then parameterized queries should be used to interact with the database.
Note: ASP.NET does this by default. A web developer actually has to bypass some of the features, or disable some default security configurations to make a site vulnerable.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.