We all by now have probably heard about the increase in SQL injection attacks to popular (and unpopular) web sites.
A SQL Injection attack is where an external party passes potentially harmful or exploitive data in the form of raw, formatted or encoded T-SQL in a way in which it is executed as a query within a database.
This typically can occur if a web site has not been well designed and allows the transfer of user supplied data to the database (to be executed, in a manner described as ‘dynamic SQL’) without being first checked (validated).
Microsoft have helpfully published a Security Advisory for their customers. Additionally, if you refer to this blog entry by Denis Gobo, there are three tools helpful in supporting users in protecting against SQL Injection attacks (and detecting potential problems and threats).
UrlScan has been around for a while now, restricts the types of requests which can be made of an IIS server. It integrates into Internet Information Services as an ISAPI filter. The latest beta works with IIS versions 5.1 or later, including IIS 7 (shipping on Windows Vista and Windows Server 2008).
Microsoft Source Code Analyzer is a .Net Framework 3.0 based tool which analyzes and detects first order and second order sql injection attacks in ASP pages.
Limitations
The tool has the following known limitations:
– The tool understands only ASP code that is written in VBScript. It currently does not analyze server-side code that is written in any other languages, such as Jscript.
– A new ASP parser was developed as part of this tool development process. However, this parser may not cover all ASP constructs. Therefore, you may see some parsing errors.
Drawback: This doesn’t work with ASP.net…just classic ASP.
HP Scrawlr is a tool I haven’t used before, apparently trawls web pages and tries various parameter injection attacks. It’s main use appears as a testing tool to test the security/integrity of web sites.
A download link is located here.
To learn more about ways to protect against SQL Injection in a design, look at using parameterized SQL queries – you can read about it here.