Reading this article was an exercise in frustration. Mass SQL Injection Attack Hits 1 Million Sites. The sum of it is that over a million ASP.Net websites were written and put online after someone had deliberately disabled input validation. This isn’t an insecure default. Folks turned off the security feature on purpose!
I’ve worked on a lot of software projects and can picture what probably happened all too well. Someone was working on some piece of the web application and ran into a validation error when testing the site. Maybe they had a deadline coming up, or just gave up figuring the problem out. Hopefully it wasn’t a case where they just didn’t care. The end result was rather than figure out what triggered the issue and work through it, someone brought up the idea of turning off the validation.
It was a small change. Just flip this:
<%@ Language="C#" ValidateRequest="true" %>
to this:
<%@ Language="C#" ValidateRequest="false" %>
Hey it works! At least until they got owned. Then it was lots of stress, work and fear of unemployment.
This not a problem limited only to ASP.Net developers. Think back and remember the times that a firewall rule was set to default permit because someone was in a hurry. Or the time that someone got frustrated figuring out file system permissions and gave the Everyone group Full Control to a directory. Or worse, set that daemon to run as root. It happens and it’s all too tempting while in full firefighting mode or coming up on a deadline. But is it really worth it? Or do we find out later that the Easy Button really was the wrong one?
Take some time and save yourself or co-workers the grief. Resist the urge to push the Easy Button and don’t give an attacker an easy shot.
Mass SQL injection attacks… due to a config issue??
Paul Asadoorian
Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.
