Skip Links

Only you can prevent SQL injection attacks, Microsoft Security says

By Microsoft Subnet on Tue, 06/24/08 - 9:02pm.

UPDATE 6/25: Microsoft has decided to be helpful on the issue of SQL injection attacks. It released a tool today that it says will analyze code to help Web programmers identify problems that leave them vulnerable to this attack. The Microsoft Source Code Analyzer for SQL Injection tool has been released for Community Technology Review. 

 

POSTED 6/24 

The non-stop onslaught of SQL injection attacks against Web sites using Microsoft ASP and ASP.NET technologies has prompted Microsoft Security to once again issue a "not our fault" advisory today. It says:

"Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine."

The above advisory may have been in response to (or in conjunction with) today's post from the SANS Internet Storm Center discussing methods to mitigate/prevent SQL injection attacks against ASP. The post, written by Jason Lam, says:

"A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers, Brian Erman, has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection from happening."

These attacks work because the Web application is not doing a good job of recognizing the bits of data that a user inputs which can be malicious. A better method, Lam says, is the "parameterized query" which allows the database to distiguish between the static SQL statement and the user input.

Go to the Microsoft Subnet home page for more news, blogs, podcasts.
More Microsoft Subnet blog posts:
Microsoft deleted interoperability documents, Feds accuse
How much would you pay to get your virtual gold back?
Red Hat untangles itself from Xen
New SharePoint tools arrive from FAST acquisition
20 great Windows open source projects you should get to know
Six free security tools you shouldn't live without

Blog Roll
Microsoft Subnet Home Page
http://www.networkworld.com/subnets/microsoft/
All Microsoft Subnet bloggers
http://www.networkworld.com/community/blogs/microsoft/feed
ActiveWin
http://www.activewin.com
Blake Handler The Road to Know Where
http://bhandler.spaces.live.com/
Dmitry's PowerBlog
http://dmitrysotnikov.wordpress.com/
Doug Brown,DABCC
http://www.dabcc.com
Ed Bott's Windows Expertise
http://www.edbott.com/weblog/
Joseph Tartakoff Microsoft Blog
http://blog.seattlepi.nwsource.com/microsoft/
Long Zheng istartedsomething
http://www.istartedsomething.com/
Mini-Microsoft
http://minimsft.blogspot.com/
Paul Thurrott's Supersite for Windows
http://www.winsupersite.com
Robert McLaws WindowsNow
http://www.windows-now.com
Scobleizer
http://scobleizer.com/
Techmeme
http://www.techmeme.com/
Todd Bishop's Microsoft Blog
http://www.techflash.com/Microsoft