Protect your websites, logs, and inbox from SQL Injection
If you're like me you leave error reporting emails on for most of the sites that you build, so that wherever possible you are alerted to potential problems — like the recent wave of SQL Injection attacks — before the website owner (your client) knows they're being attacked, and hopefully, before an attack is successful. Of course, you're a responsible coder and you're logging and reporting errors, and then hunting down and eradicating the buggy code… right?
But as was pointed out this moring on twitter by Adam Lehman, if you log and subsequently email yourself or anyone else for every single error your website throws, you could end up flooding your own inbox (or worse, the inboxes of your clients and coworkers!) with error reports; essentially causing a Denial Of Service attack on yourself. And you may overly tax your server's resources in the process. It doesn't get much more lose-lose than that.
As ColdFusion Muse points out, a majority of recent attacks have been an attempt to append some javascript to every text field in a database, and they are using a very specific method: Declaring a text variable that contains some TSQL instructions, and then evaluating it. And like something out of a bad comedey, a few hours after reading Mark's post, it started happening to two of the websites my group manages. And boy, did the emails start coming.
Luckily, because the attack is so specific, it's easy to head off.
If you're using Application.cfm, just add this somewhere near the top:
And of course, if you're using Application.cfc, you can just put it in the onRequestStart function. Either way, you should position this code so that it is run before any significant work is done on the web server. There's really no generic reason it can't be line 1.
By doing this, you'll protect yourself from this specific attack (but not all SQL Injection) and stop all of those nagging error emails and log entries. Then you can focus on important things like making sure all of your queries use CFQueryParam.
Posted in ColdFusion | 4 Responses
4 responses:
- Critter Aug 8, 2008 at 2:30 PM was just what I was looking for.. to cut down on the amount of bandwidth I was dishing out... ta
- Carlos Aug 8, 2008 at 2:48 PM Thanks. This little tip helped us out. Even though we use MySQL and sql injection doesn't work too well with it, it was causing a lot of unnecessary traffic, that was timing out our applications. It took me a couple of hours to figure that one out.
- Carolyn Aug 8, 2008 at 4:11 PM Thanks a bunch, Adam! Our server was being pounded pretty hard all morning...fortunately this way we won't have to worry so much over the weekend.
- chris hough Aug 14, 2008 at 10:46 AM nice post Adam, I am going to be sharing this perspective with my team. hope all is well :)