An escalation in SQL injection attacks aimed at websites based on ASP and ASP.NET technologies has prompted Microsoft to take action. Immediately after the explosion of SQL injection exploits the Redmond company highlighted resources available for administrators to bulletproof websites, but initially offered only a set of guidelines and pointed to the collection of best practices documentation already available. In addition, Microsoft has
coordinated the release of three free security tools designed to eradicate SQL Injection attacks.
"Today, Microsoft is releasing two new SQL injection defense and detection tools, URLScan 3.0 and Microsoft Source Code Analyzer for SQL Injection (MSCASI). We are also excited to announce the release of HP Scrawlr, a SQL injection detection tool developed by HP Web Security Research Group in conjunction with Microsoft. Each of these tools works differently and each attacks the SQL injection problem from a different angle, and in combination they complement each other well," revealed Bryan Sullivan
, Security Product Manager SDL team.
What it is important to note is that none of the vulnerabilities involved in the spate of SQL injection attacks are server-side. Microsoft has made it clear that there are no security holes to plug in the web server code, and that instead, weaknesses in the applications dealing with end user input are being exploited. In the context in which the applications fail to adhere to the best practices guidelines outlined by Microsoft, input containing malicious code and syntax can be introduced into queries to the database, that could potentially compromise not only the database or a specifically targeted website but even the entire underlining web server.
"UrlScan version 3.0 Beta, a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests. Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008), a tool that can be used to detect ASP code susceptible to SQL injection attacks. Scrawlr, a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection," explained Andrew Cushman
, Director, Microsoft Security Response Center (MSRC).
UrlScan version 3.0 Beta is available for download here
Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008) is available for download here
Scrawlr is available for download here.