June 24th, 2008
Microsoft ships free code auditing tools to thwart SQL injection attacks
On the heels of a dramatic rise in SQL injection attacks linked to drive-by malware downloads, Microsoft has released aimed at helping Webmasters and IT administrators block and eradicate this attack class.
According to a security advisory from the Redmond, Wash. software giant, the tools are available for free and cover detection, defense, and identifying possible coding which may be exploited by an attacker.
One of the tools, called Scrawlr, was created in partnership with the HP Web Security Research group (formerly SPI Dynamics).
Here’s the skinny on the three new tools:
Scrawlr: The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities.
Microsoft Source Code Analyzer for SQL Injection: Called MSCASI, this is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). It scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities.
URLScan 3.0: This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests. If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, you are encouraged to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone).
* Image source: pvera’s Flickr photostream (Creative Commons 2.0)
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
