Microsoft SQL Injection Prevention Strategy
Microsoft released a security advisory today in reaction to the mass SQL injection exploitation on the Internet. Unlike most other Microsoft's security bulletins and advisories, this one isn't about Microsoft products. In the advisory, "These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database."
Aside from providing links to information on SQL Injection, Microsoft recommends three approaches to help mitigate SQL Injection.
1. Runtime scanning
HP trimmed down a version of the WebInspect scanner to look for SQL injection vulnerabilities on a running website. Please note this scanner is very basic and should be used for a quick inspection only. I like the fact that the scanner has ability to dump table names, helps eliminate false positives.
2. URLScan
Microsoft's basic Web App Firewall solution. It has capabilities to block unwanted requests. This should only be used as a proactive measure or as emergency fix (short term) for SQL injection vulnerabilities.
3. Code Scanning
MS released a nice ASP source code scanning tool to look for SQL injection flaws. It is focused on SQL injection and seems to produce very few false positives which could be a problem with a lot of code scanners.
You may ask, runtime or code? The answer is both if you can do it. For example, if the ASP file calls a store procedure in the database and then the store procedure perform an exec and concatenate strings to run SQL within the database, code scanning will not flag this problem because the ASP code looks fine (only the store procedure is the problem). Conversely, runtime scanning can miss some portions of the site because this specific version of scanner do not follow Javascript and do not submit POST request during spider process.
Kudo to Microsoft for releasing the tools and information to help developers fix their apps. Also appreciate the free scanner from HP.
Cloud Security for Leaders | Online | US Eastern | Oct 28th - Nov 1st 2024 |
Comments
Jerry
Jun 25th 2008
1 decade ago
B
Jul 1st 2008
1 decade ago