In association with heise online

25 June 2008, 10:30

Microsoft warns of SQL injection attacks

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft has responded to the increasing number of compromised web sites based on ASP and ASP.NET by publishing an SQL injection advisory. In the advisory, Microsoft emphasises that the attacks do not exploit vulnerabilities in the software but specifically target web applications which disregard the general standard security measures for database use. The most important of these measures is checking and filtering user input. It appears that many hundreds of thousands of sites are affected.

Microsoft has introduced some free tools to help administrators make their sites more secure. The HP Scrawlr tool searches for SQL injection problems on web pages. It is based on the WebInspect security scanner acquired by HP, but comes with several restrictions. For example it does not support POST actions in forms. As a sidenote we'd like to point out that the linked download site of the HP security specialists,, uses a weak SSL certificate signed by Thawte, as can easily be established with an SSL check at heise Networks.

IIS admins can use Microsoft's UrlScan to block specific HTTP requests. However, this program is so far only available as a beta. Another Microsoft tool examines the source code of ASP application for typical SQL injection problems, but it does not support ASP.NET.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit