Microsoft is alerting customers to several tools that could bolster Web application development in the wake of a rising number of SQL injection attacks targeting faulty code in websites.
The software giant recommended customers use the tools in a security advisory Tuesday. It warned customers that it was tracking a rising number of attacks on websites that use Microsoft ASP and ASP.NET technologies. The problem lies with tiny software coding flaws that are difficult to detect.
"These SQL injection attacks do not exploit a specific software vulnerability, but instead, target websites that do not follow secure coding practices for accessing and manipulating data stored in a relational database," said Bill Sisk, Microsoft's security response communications (MSRC) manager.
Researchers had been tracking the mass SQL injection on thousands of websites over the last several months. The attacks are automated, using a number of hacker toolkits that can be purchased on the black market. Ultimately, the attack triggers an error on the server hosting the Web application, allowing the attacker to insert his own code and gain access to the system. Its unclear how many sites have been compromised.
In its advisory to customers, Microsoft identified Scrawlr, a vulnerability scanner co-developed by Hewlett Packard and researchers at the MSRC, which identifies whether a website is susceptible to SQL injection. In a blog entry, HP's Erik Peterson, senior director of products for the application security center, said the tool is not as robust as the vendor's fully supported products, but it is a free and fast way to analyze a website for potential problems. The tool can't identify the line of code responsible and will only crawl up to 1,500 pages. It doesn't support sites requiring authentication and won't test forms for SQL injection, among other limitations, he said.
UrlScan version 3.0 Beta is a tool developed by Microsoft that blocks HTTP requests. Microsoft said the tool will stop harmful requests from reaching the Web application on the server. The tool is designed to read the configuration from the urlscan.ini file. Multiple instances of the tool can be installed to serve as URL filters. It can be tweaked by an administrator to restrict the types of requests processed by the Internet Information Services (ISS).
Microsoft Source Code Analyzer for SQL Injection is also available to detect ASP code susceptible to SQL injection attacks. It generates a report that displays the coding issue. Microsoft admits that the tool also has some limitations -- it only addresses ASP code written in VBScript, and its use could result in some parsing errors.
Putting the tools in the hands of Web developers and IT administrators could help accelerate security awareness in the same way poor product quality did in the mid-90s, said Amrit Williams, a former Gartner analyst, now chief technology officer at BigFix. Williams cautioned that the tools are not a substitute for more advanced technologies or experienced and thorough human analysis.
"Unfortunately it always takes a significant incident to drive folks towards doing the right thing," Williams said in an email exchange. "This is especially true of security as part of the software development life cycle and even more so for Web development, which tends to be rapid, ad-hoc and less structured than traditional software development."