SQL Injection Attacks and Data Thief

Although I wouldn't consider myself a SQL Server expert, like any good developer, I know my way around stored procedures, database normalization, and proper indexing techniques. Occasionally, I get questions from customers about SQL injection attacks. The questions are usually along the lines of: "What is SQL injection?" or "Is it really a big concern?" I can tell you that it is a very big concern, and if you're writing web applications (on any platform), it would be irresponsible not to familiarize yourself with the exploit.

Mike Gunderloy's The Daily Grind 533 references a good introductory articled titled SQL Injection Attacks by Example by Stephen J. Friedl. Although the article is posted on a Unix tech tips site, its content is nonetheless germane to almost any web application on any platform. His example illustrates a SQL injection exploit on IIS 6, ASP.NET, and SQL Server.

Here are some other resources that I typically forward to curious developers:

But, if you really want to freak out (or if you want to demonstrate to management how critical it is to worry about such issues), download the free proof-of-concept tool called Data Thief from Application Security, Inc. and a related whitepaper titled Manipulating Microsoft SQL Server Using SQL Injection. I saw this tool demonstrated at an internal security event, and the first thing that popped into my mind was: "This is Enterprise Manager for hackers." Scary stuff.

Comments (5)
  1. Peter Blum says:

    Last year, when Microsoft’s ASP.NET Roadshow and DevDays visited Boston, the speakers enphasized SQL Injection and Cross-site scripting attacks. (We’re talking about hours on the topic.) With such a large audience and a traveling event like these, I would have thought it inspired the masses.

    As the author of Professional Validation And More, a replacement to the Microsoft validators, I thought I’d participate by building new Validator controls and tools that reflected the issues mentioned not only by Microsoft but by the same articles you point out.

    While my "Visual Input Security" has been out since September, it has been met with very little interest, even after last month’s 5 star 3 page review in aspNetPRO magazine from Don Kiely. Even from my large Professional Validation And More user base who are very enthusiastic of my work.

    It tells me that people are ignoring the issue, hoping it will go away, and when they address it, they take the simplest solution, such as stripping out the single quote character. As I learned from reading those articles, there is so much more to input security. Users will protect their textboxes but not their cookies, querystring parameters and hidden fields. Any hole in the page will be tracked down by the hacker, who enjoys these challenges.

    My own solution was to build a report that runs after the page is generated, showing all of the inputs used and the exact validation and neutralization applied to each. It gives each a rating for security with SQL and Script injection.

    It doesn’t matter whether people buy my software. It DOES matter that they are doing the right thing to protect themselves. So Michael, thanks for speaking up about this.

  2. Jon Galloway says:

    SQL Injection isn’t just about stealing data, either. Here’s a story I heard about where a trigger was added to cause an outage in an order processing system: http://weblogs.asp.net/jgalloway/archive/2004/05/05/126958.aspx

    Peter – I’m trying to sell you VIS package to my boss. Managers usually like to view this as "that danged single quote thing"; I’m lucky to have a boss who knows better.

  3. Mark Kent says:

    Hi Mike,

    I work as System Engineer in a major ISP company and we are hosting a large number of legacy ASP applications which contain SQL Injection flaws. I always suggest clients to solve the problem by hardening the source code, but 9 out 10 times they don’t have the resources. I have been using this tool when clients agree:


    So far it seems to be working and I have not had problems except that I cannot install in Windows 64 bit. Have you heard about this tool? Is there a way to make it work in 64 bit? The source code is there but I am not good in C++.


    P.S.: I am not using my real name to avoid problem with my clients.

Comments are closed.

Skip to main content