Anatomy of a SQL Server Injection Hack on the Show Today

Featured Article(s)
Writing efficient Stored Procedures – A Case Study
(By G.R. Preethiviraj Kulasingham) Performance optimization of Stored Procedures for developers. This article is a case study, which re-writes a stored procedure in different ways in order to optimize the performance.

New Video: SelectViews SQL Server Show
Today’s show – we’re looking at the automated SQL Server Injection that’s going around. We’ve been tracking it in our own logs here at SSWUG and I put a segment in the show to specifically show you what’s happening and how this may be getting through some of the more common filtering techniques out there. Sure, I’d love to get killer traffic on this show, but more than that, I hope you’ll take a minute and watch; I tried to show exactly why it’s getting through and what’s being done. It’s in the newsletter section of the show.

[Watch The Show]

The SQL injection issue is really substantial and something you need to understand before you can address it. This isn’t your typical "type a character, see what the error is, tweak the hack, try again" type scenario. The reason it’s succeeding so frequently in getting through is that it’s using an approach that doesn’t expose the keywords or other things people have filtered on in their applications. It slips right through. The hack uses a CAST statement and encodes the actual SQL, then decodes and executes the result. It’s just lovely, really.

Anyway, all of this to say that I hope that if you have a minute, take a look at the show – see what it’s all about and at the same time, it’s a bit of an "Anatomy of a Hack." Here’s the official show description:

SelectViews SQL Server Show
SQL Injection Dissection, Drive Tips for Performance, Upcoming Events and More. Also, Clustered Index Tips, Noise and News in the DB World, Discussions, Newsletter Feedback.

[Watch The Show]

Featured White Paper(s)
Easing the Migration to Microsoft SQL Server 2005
Many companies are eager to take advantage of Microsoft SQL Server 2005 and its notable business and technology benefits such… (read more)

SharePoint Customization Best Practices
In this paper, we will tackle a subject that has raised many questions and an equally large number of answers. How do I custo… (read more)

Anatomy of a SQL Server Injection Hack on the Show Today

Recent Posts

Debugging Multi-Cloud Performance

Mixing Flavors of SQL Server

July Spotlight – Db2 LUW: Types of I/O

Part II: Overview of B- Tree and B+ Tree

Is it undermining or rude to email the boss to ask him to get his act together?

Debugging Multi-Cloud Performance

Mixing Flavors of SQL Server

July Spotlight – Db2 LUW: Types of I/O

Part II: Overview of B- Tree and B+ Tree

Is it undermining or rude to email the boss to ask him to get his act together?

Getting Started With Deep Learning in Your Browser Using TensorFlow.js

SQL Server Collation Overview and Examples

MySQL Escaping on the Client-Side With Go

VS Code Gets New Python Language Server, Named After Monty Python Character

How Hello World! changed – top level statements and functions (C# 9)

SSWUG.ORG