If you develop custom applications, and use SQL, then you or your development team is likely familiar with Rapid7. If not, then the short of it is this, Rapid7 and their Unified Vulnerability Management platform NeXpose, offer network, database and web application vulnerability management for enterprise deployments and small to medium businesses. With the recent SQL Injection attacks aimed at custom SQL applications, NeXpose offers a check to prevent the attack before it takes place.
Rapid7 address recent SQL Injection attacks. (IMG:J.Anderson)
The “winzipices.cn” SQL injection attack is aimed at web applications based on Microsoft’s IIS web server and SQL Server and has hit over 500,000 websites, including the United Nations, UK Government sites, and the U.S. Department of Homeland Security. The attack takes advantage of the fact that Microsoft’s SQL Server allows generic commands that don’t require specific table-level arguments. The attack injects malicious JavaScript code into every text field in the database. The JavaScript then displays in the site’s pages and loads an external script that can compromise a user’s PC.
According to Microsoft, there’s no patch to fix the issue. The vulnerability lies in custom ASP code that fails to follow well-established security practices for handling database input. In addition, according to Microsoft, if your site has been affected, you will need to restore your database from a clean backup copy, and start reviewing your code to make sure all input is properly sanitized.
While NeXpose has always provided the ability to scan custom web applications for SQL injection flaws, the latest update to NeXpose provides an additional check to help locate servers that have been exploited by these recent mass SQL injection attacks.
NeXpose works by crawling a company’s website to identify and fix any web servers and databases affected by the attack. Rapid7 points out that finding an exploited web site is as easy as executing a Google search for the Malware name, every web site that is affected will be listed in the Google search.
[Note: This is not always the case as Google can take a while to update search caches. Sometimes sites listed as vulnerable are already correctly patched, and the malicious code removed. –Steve]
“Because this is an automated SQL Injection attack, this is a critical security issue for all companies using Microsoft IIS. Once an attacker has access to the underlying database via SQL injection, it is often possible for an attacker to escalate his privileges and attack the underlying operating system that hosts the database. These vulnerabilities open the door for hackers to easily access corporate networks and customer data,” stated Tas Giakouminakis, CTO of Rapid7, “Because this is an automated attack, the list of exploits will continue to grow and we expect the automated attack to continue to evolve and for more and more servers to be targeted in the coming weeks.”
More information: http://www.rapid7.com/
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)