Home Home | Current issue Current issue | Forum and Community Forum & Community | Onekit's Software OneKit's Software
Login: Password: Forget password? / Register New User 
Games Graphics & Design MP3 & Audio Internet & Networks System & Utilities Home & Education Business WebDev SoftDev
Issue: June 2008 > Web Development > Article "Microsoft offers tools for fighting SQL injection attacks"

Microsoft offers tools for fighting SQL injection attacks (Microsoft offers tools for fighting SQL injection attacks)  Microsoft offers tools for fighting SQL injection attacks
Web Development
Advertisement on Onekit.com Software Magazine
In April, the number of web attacks rose sharply, and Microsoft was quickly blamed for the problems. The software giant investigated and concluded that security groups had jumped to conclusions and that the attacks were not related to security vulnerabilities in IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies. Instead, it was found that the attacks were due to automatic exploits of SQL injection vulnerabilities, and the company pointed to its own guides on following good practices to avoid such attacks.

An entry on the Windows Server Division WebLog notes that "SQL injection attacks target Web application code, not Web server code, so they can only be avoided by making sure that any Web application that accepts user input, which is then used to query a database, follows best practices to ensure that the input does not contain malicious code or syntax that might compromise the database, Web site, or even the whole server." For this reason, the newly released Microsoft Security Advisory 954462 is not a security bulletin that includes download links to patches. Instead, it helps developers and Web administrators mitigate and prevent SQL injection attacks by offering the following three tools:

  • Microsoft Source Code Analyzer for SQL Injection (MSCASI): this is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code, showing the user the root cause of first- and second-order SQL Injection vulnerabilities. Since it requires source code access, MSCASI is meant to be used by web developers.
  • Scrawlr: Developed by Microsoft and the HP Web Security Research group, this tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. It is meant to be used by either IT administrators, DB administrators, or web developers.
  • UrlScan 3.0 Beta (x86 and x64): this tool allows for the deployment of SQL filters that restrict the types of HTTP requests that IIS processes. This will hopefully prevent potentially harmful requests from being executed on the server. It is meant to be used by IT administrators for preventing a problem, but does not truly fix an SQL flaw.


It's great to see that Microsoft is taking the time to offer these tools instead of simply laying the blame on web developers and their code. The software giant has done its part, and now it's up to the rest of us to minimize the number of vulnerabilities on our web servers.

Further reading
June 26, 2008 Author: Emil Protalinski


There is no user's comments | Post your comment

Related Links:
Advertisement Advertisement
about / contact us | Copyright 2003-2008 - Software Magazine, onekit.com, Legal Notices