Browsing Security with NoScript

While working (or actually just playing around) with the infamous SQL injection attacks seen around lately I think it should be worth mentioning that being a developer browser and your own PCs security security is also important  or as important as securing your web servers and databases. [more]

Since the some (most) of the variants of it involves a javascript file which in turn creates an iframe which communicates with another server to serve whatever malicious things they want to happen in the background (I didn't really bother knowing what it was doing rather just how to help get rid or prevent them) I think it is worth mentioning that simply opening those compromised pages could break your own browser or machine too and even make you a accomplice in their deeds. Since it's not uncommon for developers to be developing using admin accounts we are more susceptible than typical non power users **. That's where NoScript for Firefox comes in. Lot of reviews and arguments versus Firefox and IE security but I find it hard to block javascripts in IE and besides I've been very satisfied with Firefox NoScript (though my doors are never open).

For those of you who haven't heard NoScript before it's a Firefox add-in which allows you to allow, deny permanently or temporarily javascripts/java/flash among other objects for web sites that you open. And could be found in the following link : NoScript homepage. It's developed by Giorgio Maone which if I may say is doing a good job in continually improving this stuff. (getting new releases very often).

So there, do yourself and the world a favor and read about your browser's security and at least know how to filter javascript. Every browser that is a little more secured is a step towards a safer web.

** yes i know, no-admin and least privilege stuff – but let's face it, not
everyone had been succesful in completely following those. I'm guilty of this but yes I'm getting there plus not to mention what's my purchased Acronis True Image is for 🙂 Hopefully more post on this topic next
time.

SQL injection attacks – banner82 script


UPDATE (6/19/2008)
: For both IT people and end users please spend time reading through (if
not here then at least from other sites, just be sure you are aware
nevertheless) if you aren't that aware yet since this exploit has been
continually spreading despite numerous warnings already made in the
web. For developers, please feel free to comment, add or correct any information you think would further benefit others. For end users, I would still recommend knowing about more about this issue, how to protect yourself and stop yourself from being part of spreading it. Link to the following section might be of interest to you : browser and anti spy software

UPDATE (6/27/2008) : Came across Scrawlr an SQL Injection Detection Tool from HP that is available for free. There probably are other tools available (better) but this is the one I ran into so far. Also a tool named UrlScan from Microsoft TechNet was suggested by Jax (see comments). It can be used to screen/limit request information being sent to your site, the same way that http.sys does for IIS6 or later. You want to have a look.

There seems to be a number of SQL injection attacks happening lately involving adding of <script with banner82.org/b.js, adword71.com/b.js (and the likes ) to entries under string/text/varchar columns in the database targetting ASP (classic/3.0) sites and SQL Server. Note, they need not know your table or column names to mess up with you.

I definitely do not wish to play cops and robbers here but I wish to contribute a little on this. There are a number of articles on this (read along) and even more for preventing/cleaning
SQL injection
and other related exploits such as cross-site scripting so help yourself. 😀 [more]

It generally works by appending a string/text (url-encoded SQL script) to the URL/query string, then when it gets to the server, such string/text will be url decoded (automatically) and if the target site/application is susceptible to SQL injection (generally by concatenating and dynamically building the SQL query) then the passed SQL script will unknowingly be executed against the database and will cause some text to be appended to string/text fields. This is not limited to insert/update operations made against the database but also for SELECT (ie. even if your site/application only involves SELECT queries but not coded to prevent this, it will still be vulnerable).

I'm almost sure other variants will popup here and there (those who did are IMHO brilliant doesn't change the fact of course that what they're doing is wrong) but I think being aware is more than a good start. 

Here are more information on the issue and an SQL script to help cleanse the affected data. You can run it against your SQL Server database as it is but I would recommend you seek the help of at least a developer with SQL knowledge. Also please feel free to drop me a message/email if necessary. I'd be glad to help any way I can.

/*
NOTE: this is a patch created only by reversing the effect of the SQL script
in one known variant of the exploit. This is not tested as a generic RemoveText stored procedure.

Also use with caution as this procedure will remove the text specified without further checks
as to whether it is indeed an exploit or valid data. (eg. you are applying this to a forum
database which may contain valid entries with the <script string/text… they will be removed unconditionally)

Always backup up your database before any patches, and verify data after patch.
There is also no guarantee that this will completely remove the unwanted text if the variant
used for the exploit uses another approach (such as those involving NTEXT, TEXT columns).

Finally, this is only to cleanse already compromised data and doesn't prevent SQL injection.
There are many articles doing that already but to point out a few, please check these links
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23411125.html
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html

Short solutions could involve (short and long term):
1. changes in code to validate input (deny request variables with blacklisted keywords)
2. this (cleansing of data)
3. reduce access of the database user account to only those necessary to perform what's needed. See DENY keyword in SQL.

    – generally DENY access to system tables, view, procedures et al and allow only
     access to user defined objects. For this particular variant it DENY sysobjects and syscolumns table in SQL 2000 (views in SQL 2005) but if you can all system/unused/objects neet not be accessed directly the better  
   – this might take time to properly test which needs to be allowed and thus might require
     testing the whole site again (regression testing) but in typical applications restricting access
     to system would not be a problem good idea.
4. more input validation (length validation, data type validation etc)
5. use stored procedures or parameterized queries (if there is really a need to concatenate)
6. auditing, logging and maybe maintain a blacklist of IPs
7. just a reminder, make sure the web server and database server is secured ofcourse
8. subscribe to hacker safe or similar services

also don't fail to encrypt critical/sensitive information in the database

There is are more comprehensive articles in the web so please take some time to research and
don't just take my word for it.

Hope this helps.

*/

IF EXISTS (
  SELECT * FROM dbo.sysobjects
    WHERE
      ID = OBJECT_ID(N'[dbo].[RemoveText]')
      AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[RemoveText]

GO

CREATE PROC RemoveText
(
  @TextToRemove VARCHAR(4000)
)

AS

DECLARE @T VARCHAR(255),
@C VARCHAR(255)
DECLARE Table_Cursor CURSOR
FOR
  SELECT a.name,b.name
  FROM sysobjects a,syscolumns b
    WHERE a.id=b.id
      AND a.xtype='u'
      AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

OPEN Table_Cursor
  FETCH NEXT FROM Table_Cursor
  INTO @T,@C WHILE(@@FETCH_STATUS=0)

BEGIN
  EXEC(
    'UPDATE ['+@T+']
    SET ['+@C+']=REPLACE(CONVERT(VARCHAR(4000), ['+@C+']), ''' + @TextToRemove  + ''', '''')')
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  END

CLOSE Table_Cursor
DEALLOCATE Table_Cursor

GO

/*


Sample USAGE (see below)
Also replace accordingly. There are exploits which involves a different
.js path (like banner82.com or adword71 et al)

*/

EXEC RemoveText '<script src=[x]></script>'
— WHERE [x] is a URL/link to a .js and may vary depending on what hit your site  

UPDATE (6/19/2008) I would highly recommend securing you browsers using javascript/java/flash etc blockers, adware and spybot protection in place. I had a recent post about Firefox and NoScript in the following link: Browsing Security with NoScript. The security of being able to block javascript is significant. There are only a number of domain/sites that the add-in recognizes in it's white list so even javascript from the site itself is blocked (you can allow it easily) so how much more hidden javascript from 3rd party sites (such as what is seen in this exploit).

Also look into antispy products like Spybot Search & Destroy which would prevent you from accessing known blacklisted domains among other things. It update automatically though but if you "immunize" very often, you're increasing the chances of not running into malicious site. Others include the free Windows Defender for genuine windows users, adaware which offers real time protection (though haven't been very succesful with this one) and it might also be time to look into getting a Personal Firewalls such as ZoneAlarm Personal Firewall or you might even want to get professional editions of that which you want for added protection.

Other References:

MUST READ: SQL Injection from Microsoft Security Vulnerability Research and Defense Blog

MUST READ: Security Development Lifecycle post on SQL injection (Michael Howard)

Information on these autmated attacks from SANS Internet Storm Center


ZDNet on Fast-Fluxing SQL injection attacks executed from the Asprox botnet
(directly related to this exploit)

Filtering SQL injection from Classic ASP – (** restricting access to the objects being exploit such as sysobjects/syscolumns seems like the quickest solution but feel free to explore this too – note though that IMHO this will have a performance hit on your site)

A more generic Search and Replace script

Button doesn’t postback after clicking Back Button in Firefox

I ran into this behavior (which I think is weird) where a button no longer posts back to ther server after I click on a the Firefox's back button. [more]

I'm not sure if I'm missing some incorrect settings whatsoever but it works on IE7.  I'm hoping someone who runs into this might verify or some thoughts on why is behaves that way. Using Firefox 2.0.0.14, ASP.NET 2.0

Here is my code

ASPX (sorry no formatting but it's just a simple page with an ASP button)

<%@ Page AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
        <div>
            <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Button" UseSubmitBehavior="false" /></div>
    </form>
</body>
</html>

Code behind

    1 using System;

    2 using System.Web.UI;

    3 

    4 public partial class _Default : Page

    5 {

    6     protected void Page_Load(object sender, EventArgs e)

    7     {

    8         //if (Request.Browser.MSDomVersion.Major == 0) // Non IE Browser?

    9         //    Response.Cache.SetNoStore(); // No client side cashing

   10     }

   11 

   12     protected void Button1_Click(object sender, EventArgs e)

   13     {

   14         Response.Write(Guid.NewGuid());

   15     }

   16 }

1. Load the page

2. Click on the button. Click event handler in server side runs and a GUID is displayed after page reloads

3. Click Back button. As far as my machine/browser behaves, no postback happens.

On the other hand, if using IE (7), step 3 still causes a postback.

It does seem that it has something to do with client side caching since if you uncomment the code in Page_Load, step 3 causes a postback. The only difference with IE though is that if say you have a textbox in the same page, you place some text in the textbox and you click the back button since no client side caching is made, you loose the contents of the textbox.

Installed FireBug to get some hint but for some reason it caused some intermittent behavior. Sometimes it works (posts back) sometimes it doesn't. Not sure though if it's FireBug causing the intermittent behavior but the "no postback behavior" predates the FireBug installation.

Haven't got the chance to dig deeper into this yet. Gotta get back to work 🙂 I hope I'm just not missing something obvious here…

Resources:

Prevent client caching in browsers other that Internet Explorer 

__doPostBack and the Back Button by Rick Strahl – some possibly relevant information but not quite since in his case, the button click and checkbox check changed event both fire in the server side, in my case the page doesn't postback at all.

Link: Recent SQL Injection Attacks

I figured this would be a good reminder. I've known some people who would have thought just because they create client side validators and use stored procedures they are no longer vulnerable to SQL injection attacks. Ready the full article from the link below and it will contain links on how to protect yourself from such attacks too.

You may have seen recent reports
that have surfaced stating that web sites running on Microsoft’s
Internet Information Services (IIS) 6.0 have been compromised. These
reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Full article : SQL Injection Attacks on IIS Web Servers – BillS IIS Blog

Firefox Bookmarks Location and Moving it

It just so happened that I've been asked where Firefox Bookmarks are stored a number of times [more](and I have to admit I also had to look for it the first time) so I figured I'd post here for everyone's convenience (did the gooling for you)

It's usually (by deafult I believe) located at C:Documents and Settings<your username>Application DataMozillaFirefoxProfiles where <your username> should obviously be replaced with your windows login/user name. When you get to this folder you should see some semi cryptic folder name like "4dw3r4ow.default". Open that folder and you should find bookmarks.html. That's where firefox stores your bookmark information.

Also, I bring along a cheap 2.5" external drive with me for files et al so I thought hey maybe I should save my bookmarks in there too so I have access to them on machines I use (eg. home and office). For this I would redirect you to this post by Chris Ilias on customizing firefox bookmarks location.

I know I know there are a number of ways of storing bookmarks online but I think the benefit I'm after is if I have firefox bookmarks itself (rather than online bookmarks like del.i.cious or google bookmarks – yes there is such a thing), I can use my AutoComplete Manager add-in. Which is typing in the address bar, the addin doesn't simply provide suggestions based on words in the URL or bookmark name or page title but all of them plus a couple more options on how you want autocomplete to behave. I've been using it for sometime and working good (not to mention some updates/enhancements here and there). This has been in my FF addin list for sometime along with NoScript and a few others.

Microsoft AdCenter Beta Programs

I just got an email from Microsoft Media Information regarding an invitation to join Microsoft AdCenter Analytics in its Beta stage (MS equivalent to Google Analytics). [more]

I'm not sure where I got this information before (likely before this blog was in place, otherwise I would have placed it in my "notes") but I googled and found information from the following link:

Register for upcoming adCenter Beta and Pilot Programs

It links to this SignUp page for adCenter beta and pilot Programs along with some additional information from Carolyn, a member of the adCenter Community Team.

Signing up would not give you direct access to the programs right away but I believe it adds you to the list of recipients for invitations.

After completing the actual signup for adCenter Analytics, there is a wizard to set you profile information (similar to Google Analytics) along with the domain (site) that you will track/manage.  And then a screenshot of the Analytics Main page (sort of dashboard) can be downloaded here.

So, if you're into this stuff (and you should be if you're a web developer and somehow if you're a blogger) go try it out while things are still free.

NO-www vs YES-www

For some time I was wondering why some sites where you access without a WWW redirects you to the one with WWW subdomain.

I
know most of us will agree that accessing with or without the WWW
subdomain should be supported. But in addition to this, I find the
arguments of the no-www side more appealing to me. Of course don't just
take my word and see what you think would fit you. NO-WWWW and YES-WWW and also search the net (google, live search, yahoo) for more info

So that would make my preferred URL for my site become http://ryangaraygay.com (dropping the www but if you still really want to use www, feel free to do so and you'll still access my site)

HTTP 403.9 – Access Forbidden: Too many users are connected

I was trying to test multiple connections to my local IIS server when I
got the http status/error code above. This is because there is a limit
to the number of concurrent connections with Keep-Alive Enabled setting
ON.

http://www.experts-exchange.com/Web/Web_Servers/IIS/Q_20286298.html

So I unchecked "HTTP Keep-Alive enabled" and the issue was resolved.

But
when I run/debug from Visual Studio (for an application configured to
run on IIS) i got an "Unable to start debugging on the web server. An
authentication error ocurred while communicating with the web
server…". IMHO, the error messages doesn't quite help in debugging
but it turns out that Visual Studio just needs the the keep-alive
setting ON to work for applications configured to run on IIS. Turned it
back on and worked fine.