In cast you didn't see it, the Microsoft Security Response Center (MSRC) team just announced the release of three tools to help customers fend off SQL injection attacks:
- UrlScan 3.0 Beta (see Wade Hilmo's blog for more), a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests.
- Microsoft Source Code Analyzer for SQL Injection (MSCASI) CTP (see the SQL Security blog for more), a tool that can be used to detect ASP code susceptible to SQL injection attacks.
- Scrawlr (see HP's security blog for more), a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection.
There are already a lot of resources out there available already for these tools. Let me point you to a few of them:
- The new Microsoft Security Advisory 954462 announcing the tools, with guidance
- Finding SQL Injection with Scrawlr at the HP Security Center
- URLScan Tool 3.0 Beta page, including download links & docs
- MSCASI download and reference kb: Microsoft Knowledge Base Article 954476
- A good discussion of Injection Attacks by Michael Howard on the SDL Blog
- Security Vulnerability Research & Defense Blog on SQL Injection Attack
- SDL blog post on the new tools: SQL Injection Defense Tools
and some best practice guidance for developers:
- How To: Protect from SQL Injection in ASP.NET
- Preventing SQL Injections in ASP, by Bala Neerumalla
- Coding Techniques for protecting against SQL Injection in ASP.NET
- Filtering SQL Injection from Classic ASP
Best regards ~ Jeff
