Microsoft warns of SQL injection attacks
Microsoft has responded to the increasing number of compromised web sites based on ASP and ASP.NET by publishing an SQL injection advisory. In the advisory, Microsoft emphasises that the attacks do not exploit vulnerabilities in the software but specifically target web applications which disregard the general standard security measures for database use. The most important of these measures is checking and filtering user input. It appears that many hundreds of thousands of sites are affected.
Microsoft has introduced some free tools to help administrators make their sites more secure. The HP Scrawlr tool searches for SQL injection problems on web pages. It is based on the WebInspect security scanner acquired by HP, but comes with several restrictions. For example it does not support POST actions in forms. As a sidenote we'd like to point out that the linked download site of the HP security specialists, https://download.spidynamics.com, uses a weak SSL certificate signed by Thawte, as can easily be established with an SSL check at heise Networks.
IIS admins can use Microsoft's UrlScan to block specific HTTP requests. However, this program is so far only available as a beta. Another Microsoft tool examines the source code of ASP application for typical SQL injection problems, but it does not support ASP.NET.
- Rise in SQL Injection Attacks Exploiting Unverified User Data Input, Microsoft security advisory
- Finding SQL Injection with Scrawlr, by HP's Security Laboratory
- Using UrlScan, by Microsoft
- The Microsoft Source Code Analyzer for SQL Injection, by Microsoft
- SQL injection – attack and defence, heise Security background article