What is it ?

Malicious code or javascripts are embedded into database table. This table has the feasibility to pull out all the use ful inputs of the ens user and then missue it.
Sample – When innocent user visit(s) URL which has been programmed to take data from that particular table, then the same malicious code JavaScript is executed in user browser by which enables the hacker to redirect the site to hackers homepage. This facility can even capture sensitive information – Like Credit Card, DOB and so on.

How does it occur?

A Programmer writes code to take input from User and store in the database and display in next page. While taking inputs it is required to put proper validation before submitting into database. If the validation is not in place then a java script could be changed with the input(s) which can be inserted into to table of database and further misused.

For example:

Enter your name: Ritesh Kumar

Display in browser-:

Your name is: Ritesh Kumar

The programmer must validate input so that only Alphabets with space is allowed while inputting name. ; , < ,> ,/ ,\  etc [ refer input validation document] char should allow in name field

Assuming the bad programmer did not check the validation and the end user enters following while input data

Enter your name: Ritesh Kumar;<srcipt>You site is hacked</script>

Display in browser-:

Your name is: Ritesh Kumar with JavaScript  pop ups  [ You site is hacked ]

The hacker, thanks to the mal code from the Programmer shall be able to easily insert any JavaScript which would further pull out all the details he wants – by using JavaScript.

How to prevent it ?

This incidence occurs due to improper input validation. Programmer MUST review all its validations properly and should not allow any special char into databases.

Net4India provides  a service called http://net4secure.com which help your programmer to identify all such vulnerabilities inside the site.

Any direct insertion to database is prone to SQL injection so All direct SQL should be converted to Stored Procedure.

Server Side: Nothing much could be done in server side. It is suggested to use Mod_security for Apache and Microsoft URL scanner for IIS . These could detect and block the pages. The disadvantage is it may block genuine page also.

Further Reading: http://msdn.microsoft.com/en-us/library/ms161953.aspx

Tags: , ,