Microsoft ships free code auditing tools to thwart SQL injection attacks

Microsoft ships free code auditing tools to thwart SQL injection attacks

Summary: On the heels of a dramatic rise in SQL injection attacks linked to drive-by malware downloads, Microsoft has released aimed at helping Webmasters and IT administrators block and eradicate this attack class.According to a security advisory from the Redmond, Wash.

SHARE:

Microsoft ships free code auditing tools to thwart SQL injection attacks On the heels of a dramatic rise in SQL injection attacks linked to drive-by malware downloads, Microsoft has released aimed at helping Webmasters and IT administrators block and eradicate this attack class.

According to a security advisory from the Redmond, Wash. software giant, the tools are available for free and cover detection, defense, and identifying possible coding which may be exploited by an attacker.

One of the tools, called Scrawlr, was created in partnership with the HP Web Security Research group (formerly SPI Dynamics).

Here's the skinny on the three new tools:

Scrawlr:  The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities.

Microsoft Source Code Analyzer for SQL Injection:  Called MSCASI, this  is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). It scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities.

URLScan 3.0: This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests.  If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, you are encouraged to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone).

* Image source: pvera's Flickr photostream (Creative Commons 2.0)

Topics: Security, Data Centers, Data Management, Enterprise Software, Microsoft, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • SQLs failure

    SQL's #1 failure is its ailing concept that a single string is a sufficient API. Its stronger APIs are left in disuse by those who advocate this policy. Injection follows.

    I've never heard of a perl script falling for SQL injection, since the primary mode of use for the perl version uses the stronger API. PHP, ASP? yeah. Thought so.
    cmdrrickhunter@...
    • Can you elaborate?

      [i]SQL's #1 failure is its ailing concept that a single string is a sufficient API.[/i]

      I'm not sure I understand what you mean by this, can you elaborate? What I find a little confusing is that you seem to comparing a database (SQL) to a programming language (perl/PHP). It would be like saying: [i]I think Oracle is better than C++.[/i]

      If, however, I can guess at what you mean (and it is only a guess, correct me if I'm wrong), you seem to be saying that SQL does not support the use of parameterized queries and instead requires all queries to be submitted as a single string. That couldn't be further from the truth. I'm not sure if that has ever been true but it certainly hasn't been true since I started using SQL 2000.

      If, however, you are saying that SQL programmers, on average, refuse to use proper coding techniques that have been available with SQL (and ADO) for many years now, I guess you could be right. That sounds like an issue with those programmers though since [url=http://aspnet101.com/aspnet101/tutorials.aspx?id=1] using parameterized queries with SQL and ADO [/url] is really, really, really easy. In fact, I would argue that it is much easier and cleaner than doing string substitution.
      NonZealot
    • Not sure what you're getting at...

      Most web languages have mechanisms to protect against injection. I know PHP has multiple options in multiple abstraction libraries. The problem is when people don't use them. To attack SQL over this doesn't make sense. SQL itself does what it needs to do almost flawlessly. The languages that produce SQL statements to be sent to databases are the ones that need to be careful about what they send.
      storm14k
  • Scrawlr is a joke

    Ryan, have you tried it? I ran it against my blog. After finding 14 links, it quit. Apparently at 14 links, it times out and says that it has been limited to 14 links. Oh and you can go purchase their other tools that are unlimited.

    Worst part? If it hits more than 14 links, the program stops functioning. It doesn't continue and run the audit against the first 14 links. No, once it finds 15 links it quits running.

    How many sites only have 14 links?
    mtgarden