Reply to topic
URL SQL Injection Attacks
Jason101
Forum Regular

Joined: 14 Mar 2006
Posts: 548
Location: Harrisburg, PA
Post Posted: Mon Feb 04, 2008 3:42 pm Reply with quote
Here's one for ya.

I've been getting alot of attempted SQL injection attacks. People are passing long web urls like:
http://www.fabcraft.co.uk/forum/lovuqo/zil/

into my "BrandID or "CategoryID" URL param and it is blowing up my site because the <cfqueryparam> is enforcing the data type. I probably get 4 dozen errors a day, each attempt is contains a different URL. And if you visit any of the urls, they all just output text that reads.


<?php echo md5("just_a_test");?>


I know what the whole md5 stuff is, but why just echo that string? What are they trying to accomplish? and why PHP to a Coldfusion site? Grated these are only select statements they are hitting so they wouldn't get anywhere.

Strange... Confused
Josh
Forum Regular

Joined: 01 Apr 2004
Posts: 1029
Location: Felton, Delaware
Post Posted: Mon Feb 04, 2008 5:09 pm Reply with quote
They're starting with that for the sake of only testing for vulnerabilities. It's quick and simple and will provide them with what they "need" to continue their efforts.

As far as these attempts causing your app to bomb, how about including some error handling into your app? You can start with Try/Catch.

Code:
<cftry>
   <cfqueryparam value=”#theValue#” cfsqltype=”cf_sql_char”>
   <cfcatch ...>
      <!--End Page Processing, redirect back to form page, provide a default cfparam value, whatever! -->
   </cfcatch>
</cftry>


Also, I commend you on using parameterized queries. There are ALOT of CF "coders" out there that still concatenate.
URL SQL Injection Attacks
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
 Reply to topic