Microsoft SQL Injection Prevention Strategy

Published: 2008-06-24
Last Updated: 2008-06-24 22:17:41 UTC
by Jason Lam (Version: 1)
2 comment(s)

Microsoft released a security advisory today in reaction to the mass SQL injection exploitation on the Internet. Unlike most other Microsoft's security bulletins and advisories, this one isn't about Microsoft products. In the advisory, "These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database." 

Aside from providing links to information on SQL Injection, Microsoft recommends three approaches to help mitigate SQL Injection.

1. Runtime scanning

HP trimmed down a version of the WebInspect scanner to look for SQL injection vulnerabilities on a running website. Please note this scanner is very basic and should be used for a quick inspection only. I like the fact that the scanner has ability to dump table names, helps eliminate false positives.

2. URLScan

Microsoft's basic Web App Firewall solution. It has capabilities to block unwanted requests. This should only be used as a proactive measure or as emergency fix (short term) for SQL injection vulnerabilities.

3. Code Scanning

MS released a nice ASP source code scanning tool to look for SQL injection flaws. It is focused on SQL injection and seems to produce very few false positives which could be a problem with a lot of code scanners.

You may ask, runtime or code? The answer is both if you can do it. For example, if the ASP file calls a store procedure in the database and then the store procedure perform an exec and concatenate strings to run SQL within the database, code scanning will not flag this problem because the ASP code looks fine (only the store procedure is the problem). Conversely, runtime scanning can miss some portions of the site because this specific version of scanner do not follow Javascript and do not submit POST request during spider process.

Kudo to Microsoft for releasing the tools and information to help developers fix their apps. Also appreciate the free scanner from HP.

 

2 comment(s)

Comments

The free scanner from HP is named Scrawlr and the link to download it is in the Microsoft advisory under general information then suggested actions. Registration on HP's site is required in order to download the free scanner.
I use this for iis 6.0 http://www.codeplex.com/IIS6SQLInjection

Diary Archives