ASP Sites Targeted By SQL Injection

Monday, April 28, 2008 by Mistlee

Can't see any images? -!

Recent Articles

Microsoft Extends ASP.NET With 3.5 Extensions
New extensions for developers working in ASP.NET should help in a few areas, including the ability to build data driven pages without coding. Astoria may rise to...

Using the Provider Model in ASP.NET 2.0
I think by now, most ASP.NET developers have come across some of the different provider models in...

Googlebots Can Trip Bugs In ASP 2.0?
In a post called, "ASP.NET 2.0 Mozilla Browser Detection Hole," Brendan Kowitz writes that 'there is something drastically wrong with the way search engines have...

Show IIS Process Info
Recently I needed to investigate the IIS process on a website because of strange shutdown behaviors.

The Dangers Of The New ASP.NET MVC Framework
I've been following the new ASP.NET MVC framework quite close lately because it looks so cool. Not only does it make your website testable in a much richer way...

ASP.NET 2.0 - The Expando Attribute
By coincidence I noticed a method I've never seen before on the ClientScript property of the page class in ASP.NET 2.0. It's called something as cryptic as Register...


ASP Sites Targeted By SQL Injection

By David A. Utter

The dynamic capabilities of websites powered by back-end databases made thousands of them targets for injections of unsanitized code.

A trio of domains have been found to host malicious exploits that people may hit while searching the Internet. Links to this content turned up in thousands of links to otherwise innocent websites, thanks to a seemingly unstoppable outbreak of SQL injection attacks.

Security vendor F-Secure discovered in a cursory search on Google the presence of 510,000 pages affected by the attacks on a variety of sites. F-Secure advised security pros to block access to the rogue domains hosting the malware:, and

The bad people want to drop a gaming trojan onto a victim's system. With ten million players alone on World of Warcraft, and thousands more on other online games, such trojans could grab login credentials and steal billing information or in-game valuables.

"Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls," F-Secure said.

Learn More about what is Inside and Outside the Box

The security vendor found the attack at issue now seeks out all of the text fields in the database, and adds a link to malicious JavaScript to them. ASP-based websites take note: the attackers look for .asp and .aspx pages.

Any site offering the ability to upload content, from blogs to forums and beyond, could be at risk from the attack. F-Secure suggested webmasters check their server logs for a section of the injection code they listed in this latest post about the attacks. If it's present, the database needs to be cleaned up, and the application fixed to sanitize incoming content.

About the Author:
David Utter is a staff writer for WebProNews covering technology and business.
About WebProASP
WebProASP is a collection of up to date tutorials and insightful articles designed to help ASP users of any skill level implement successful ASP systems and practices. ASP Strategies and Tactics for Business

WebProASP is brought to you by:

-- WebProAsp is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article

Unsubscribe from WebProAsp.
To unsubscribe from WebProAsp or any other iEntry publication, simply send an email request to:
ASP Strategies and Tactics for Business WebProASP News Archives About Us Feedback WebProASP Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact