Skip to main content
N
nosredna
Participating Frequently
September 30, 2009
Question

SQL injection and SQLFury

  • September 30, 2009
  • 1 reply
  • 1632 views

We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:

- implemented the cfqueryparam tag on all applicable fields being entered in the form

- introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric

- consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)

However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.

I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?

Any assistance would be very much appreciated.

This topic has been closed for replies.

1 reply

ilssac
ilssac
Inspiring
September 30, 2009

RIA Forge has a queryparam scanner that will search your code for missing queryparam oportuntites.

http://qpscanner.riaforge.org/

This is the number one way to prevent sql injection.  Once a variable has been turned into a paramter, the database will NEVER execute any SQL commands contained in the data, becase the database management system know it is data.

But it is important to seperate the completly seperate SQL injection attack where rogue SQL commands are run from the XSS Cross Scripting attack where rogue JavaScript is inserted into your database to be displayed and run on your site.

<cfqueryparam...> will prevent all SQL injection, it can do nothing about Cross Scripting, because data is data to a database.

Not saying you are confused about this, but many others maybe.

N
nosrednaAuthor
Participating Frequently
October 2, 2009

Ian:

Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.

Thanks again,

...Wes

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices