Over the past several months, a number of SQL injection attacks have been targeted at systems running Microsoft IIS and Microsoft SQL Server, and thousands of those systems were victims because of poor Web site security. Some of the attacks use specialized automation tools that can query Google for vulnerable Active Server Pages (ASP) and subsequently attack the sites on which those pages reside.
In April, Bojan Zdrnja posted a fairly detailed analysis of one such tool in the SANS Handler's Diary blog at isc.sans.org/diary.html?storyid=4294. Then in May, SecureWorks said that it had detected a SQL injection exploit tool that was compounding matters even further. The tool was discovered as it was being pushed out to a big botnet, and, of course, the tool made all the bots capable of launching SQL injection attacks. You can read about the exploit tool at
www.secureworks.com/research/threats/danmecasprox/.
It's probably safe to say that just about all of the successful exploits were a direct result of poor Web application coding practices, as well as a lack of adequate failsafe security defenses. Failure to properly sanitize user-provided input will invariably lead to a security breach. However, using a strong back-end Web application security system can help stop malicious code that makes its way past any sanitation code that's built into your Web applications.
Last week, to help with proper coding practices, Microsoft stepped up to offer some advice. The company released the security advisory, "Rise in SQL Injection Attacks Exploiting Unverified User Data Input" (www.microsoft.com/technet/security/advisory/954462.mspx), which outlines three tools that can be used to find and fix coding problems.
One of the tools, Scrawlr, is relatively new and provided by HP. The tool will crawl a Web site to look for SQL injection attack vectors. In the security advisory, Microsoft also reminds administrators of its long-standing UrlScan tool, which is now available as a version 3.0 beta. Both of these tools scan the publicly exposed side of a Web site. To dig deeper, actual source code can be examined for vulnerabilities by using Microsoft's Source Code Analyzer for SQL Injection tool. However, be aware that the tool can examine only ASP code that's written with VBScript, and it doesn't parse all types of ASP constructs. In other words, the tool has its limitations.
You should also strongly consider using a Web application firewall to protect your Web site. There are a wide range of choices available today. Some of the solutions that I'm aware of are AppliCure dotDefender, ArmorLogic Profense, Barracuda Web Site Firewall, Breach Security WebDefend and ModSecurity, eEye Digital Security SecureIIS, F5 BIG-IP Application Security Manager, Imperva SecureSphere, Privacyware ThreatSentry, Protegrity Defiance Threat Management System, Radware AppXcel with Web Application Firewall, and webScurity webApp.secure. All of these products can easily be located using your favorite search engine.
Keep in mind that Web application firewalls should be considered only part of an overall security strategy—even with such a solution in place you still need to do everything you can to ensure that your code and your database servers are as secure as they can be.
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Register
