Microsoft pushed a new pack into the frontlines to counter SQL injection attacks. This pack is freeware, and will be helping software development professionals and Web administrators in the fight agains the constant SQL injection media headlines. Microsoft published a Security Advisory providing information on ways in which they can mitigate and prevent and a Web site scanner called HP Scrawlr, was developed by Hewlett-Packard’s Web Security Research Group in conjunction with Microsoft.
As you might have seen, there was a spate of such attacks in late April and it caused quite a few headaches for administrators. Remember that SQL injection attacks target Web application code, not Web server code, so they can only be avoided by making sure that any Web application that accepts user input, which is then used to query a database, follows best practices to ensure that the input does not contain malicious code or syntax that might compromise the database, Web site, or even the whole server.
So the advisory today is not a security bulletin – there are no patches for IIS or SQL Server or ASP.NET to download. However, Microsoft made available some tools that will help mitigate these attacks while the underlying Web application code is being fixed to follow security best practices for protecting against SQL injection in ASP and ASP.NET. There is a tool from HP that tests sites to help identify pages that might be susceptible to SQL injection attacks, and also a Microsoft Source Code Analyzer from the SQL Server team that actually parses ASP code for data access commands that might be vulnerable to SQL injection.
One of such tools is UrlScan 3.0 Beta. UrlScan originally released with the IIS Lockdown Tool to help mitigate security vulnerabilities that affected IIS 5.0 in Windows 2000 Server. It’s an ISAPI filter that examines HTTP requests to check that URLs and other headers are not being padded with overlong strings or unusual characters as a way to conduct a buffer overflow attack. Microsoft hasn’t updated this tool since it released UrlScan Version 2.5 alongside IIS 6.0, because most of the functionality is now available in IIS 7.0 as the Request Filtering module. But as of now, you can download 32-bit and 64-bit versions of UrlScan 3.0 Beta, which extends the functionality to also examine the querystring part of the URL (i.e. the part that comes after a “?” in a URL – typically name/value pairs or other parameters that are passed to a script or application). This can therefore help prevent SQL injection attacks while the underlying Web application code is fixed.
Over on the IIS.net site, you can find a full walkthrough of the tool, as well as some great articles by Wade Hilmo (the guy who wrote UrlScan) and Nazim Lala, another member of IIS security team. They have full details on the tool and other security guidance you can follow to help protect your Web servers and applications.
Source: Windows Server Division