In mid-2008 Microsoft made available three security tools
(one developed in conjunction with the HP Web Security Research Group) designed to counter the increasing wave of SQL injection attacks faced by customers running its software. SQL injection attacks were escalating at that point, targeting design flaws in web applications and not vulnerabilities in the web server or in the server operating system. Five months later, security company Symantec revealed that in the underground economy an attack kit designed to perform SQL injection attacks was sold for an average price of $63, but that it could be as cheap as $15, while going as high as $150.
“With an average price of $63, SQL injection is a type of security vulnerability that typically affects Web applications by exploiting improper input validation in database queries. A successful exploit will allow attackers to access, modify, or delete information on the database. SQL injection tools come in different varieties: some scan websites for vulnerabilities and then exploit them, while others include bot-like features, or incorporate scanners for other types of vulnerabilities. There are also standalone SQL injection tools that aid with exploitation once an attacker has discovered a vulnerability,” Symantec revealed in its Report on the Underground Economy
Since there is no vulnerability exploited by the SQL injection attacks, there is little that Microsoft can do to help customers bulletproof their websites against the threat. Still, placing a great deal of emphasis on writing secure code, the Redmond company did make available for download UrlScan, the Microsoft Source Code Analyzer for SQL Injection and Scrawlr (via HP). The three tools can be used in conjunction in order to restrict the types of HTTP requests processed by IIS, to analyze ASP code and detect potential flaws, and to evaluate whether entire websites are susceptible to SQL injection attacks.
“SQL injection is a popular attack method in the underground economy, due to its versatility. It can let attackers steal sensitive information stored within the back-end databases of affected websites, which can include user credentials, email addresses, personal information, and credit card numbers. In many cases, SQL injection vulnerabilities can also let attackers bypass authentication and compromise the affected Web application. Website content generated from a database can also be manipulated, potentially allowing an attacker to launch other attacks from the compromised site, such as client-side exploits or the distribution of malicious code,” Symantec added.
UrlScan is available for download here
Microsoft Source Code Analyzer for SQL Injection is available for download here
Scrawlr is available for download here.