Reputation: 9621
sql injection attacks
I have an asp.net site...Last days, I saw in my logs that I'm being attacked with sql injection like:
Exceptia: Error Caught in Application_Error event Error in: http://gramma.ro/Site/DetaliiProdus.aspx?c=m1&p=1465&s1=45&s2=79/**/or/**/1=@@version))--
Of course this will throw an exception because I check the parameters before doing any sql query:
Error Message:Input string was not in a correct format.
For all this exceptions I redirect the user to a specific error page.
Of course, these attacks do not affect me right now (I'm using parameterized sql commands), but I am taking the ips and put them in IIS - Ip Address and domain restrictions so that ip no longer can access my site.
My question: is anything else I can do? Seems that this malicious user, even I block his ip, is going and tries the same attack from another ip (I have blocked about 6 ips in last 3 days which is quite ugly...). Can you suggest anything else I should do?
UPDATE: All these attacks put /**/or/**/1=@@version instead of a query parameter value so I am pretty sure the attack it's NOT a random issue from the users but a real SQL injection attack. The problem is that these ips are from different locations so I cannot report them to some internet providers or hosts companies...
Upvotes: 4
Views: 4453
Answers (2)
Reputation: 1
Use Stored Procedures to your application. So that you can prevent SQL injection. Because Stored procedures accepts only the limited parameters as described by the developer.
Upvotes: 0
Reputation: 33183
This will provide protection against the single request you've show. To properly protect against SQL injection, parameterize all queries, to the extent you can, validate user input parameters.
In my code, I actually go further and throw exceptions on any unexpected querystrings, which makes API discovery (which is what this attack is), much more difficult.
Add this to global.asax
void Application_BeginRequest(object sender, EventArgs e)
{
if(HttpContext.Current.Request.Url.ToString().Contains("@@version"))
{
throw new HttpException(400,"Bad Request");
}
}
Upvotes: 2
Related Questions
- My ASP.NET Website is Attacked With SQL Injection
- How can I avoid SQL injection attacks in my ASP.NET application?
- Is injection attack possible on the following code?
- Avoiding an Sql injection attack
- SQL Injection vulnerablities in ASP script
- Can this be victim of sql injection
- SQL injection attack on ASP registration form pages?
- SQL Injection vulnerabilities
- sql injection issue
- Help Regarding SQL injection