Microsoft offers some advice and tools for taking on SQLi

by Steve Ragan - Jun 25 2008, 20:17

Microsoft is taking a decent stance on SQL Injection (SQLi) mitigation and has issued a security advisory that offers a good bit of information, and three tools for developers and security risk managers. The frustration with SQLi attacks is that they are preventable. Often times, a simple code error can lead to problems, these problems can cost a business or website reputation and manpower to fix.

Microsoft offers some advice and tools for taking on SQLi. (IMG:J.Anderson)

SQLi attacks against Microsoft ASP and ASP.NET based websites have been a plague for months. It was expected that Microsoft would do something sooner or later. Microsoft agreed, something needed done, and issued Security Advisory 954462 which addresses the need for proper coding as well as offers three tools to help locate potential issues.“Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.”The three tools are what will make the most difference for some development teams. While it is required to pour over documentation, sometimes a little automation can go a long way. UrlScan version 3.0 Beta is the first tool. What it does is restrict the types of HTTP requests that IIS will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests. The next tool is Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008), a tool that can be used to detect ASP code susceptible to SQL injection attacks. Finally from HP comes Scrawler, a scanner developed by HP Web Security Research Group, which will allow customers to identify whether their Web sites might be susceptible to SQL injection.There is also a good source of information in the Suggested Actions section.
http://www.microsoft.com/technet/security/advisory/954462.mspxAnother bit of information related to SQLi mitigation comes from SANS, where recently the posted a killer function that has offered a good deal of help for the creator.http://isc.sans.org/diary.html?storyid=4615

Talkback

There are currently no comments for this article. Be the first to comment! (no registration required)

Security: Index; News

: Features; Reviews

Advertising

Latest

Release of Internet Explorer 8 delayed until 2009
NASA: Huge water glaciers discovered on Mars
Lucky Zune users land free monthly music packs
Study claims Internet time really is quite good for teenagers
Google enhances search capabilities with SearchWiki

Advertising

In The Tech Herald

: Home; Hardware; Software; Security; Internet; Networking; Gadgets; Entertainment; Science; Current Affairs
Other Languages and Sites: Monsters and Critics; Deutschland (Monsters and Critics)

Site

: About Us; Contact Us; The Team; RSS Feeds; Privacy

The Fine Print

© 2008 The Tech Herald.com, WOTR Limited. All photos are copyright their respective owners and are used under license or with permission. The Tech Herald cannot be held responsible for the content on other Web Sites.

Servers supplied by Servint