SQL Injection is on the Rise Again

Microsoft recently released a Security Advisory (954462) stating that web sites are being attacked via SQL Injection techniques. Most attacks typically try to exploit the operating system (IIS, SQL Server, Windows, Linux, Apache, etc.). SQL Injection's goal is to attack the customer web application to gain access to a system, control an application's data, and other things along those lines.

Microsoft's Security Vulnerability Research & Defense team provides a good article about what this attack means and offers a lot of good reference material.

There are two new tools from Microsoft to (1) help you analyze your ASP and ASP.NET code and (2) filter suspicious requests to your site:

• Microsoft Source Code Analyzer for SQL Injection (MSCASI)
• URLScan 3.0

The knowledgebase article on MSCASI can be found here.

SPIDynamics, now owned by HP, offers a number of tools to help with application security.

SQL Injection is only one type of security issue you need to be aware of. There are a lot more out there and developers (and script-kiddies) should be aware of them. Stack-overflow and poor exception handling come to mind. A great place to start would be Developing More Secure ASP.NET 2.0 Applications by Dominick Baier.

Excelsior!

Technorati Tags: SQL Injection