Protecting your websites against SQL injection using web protection library v1.0

Syed Aslam Basha here from the Information Security Tools team.

Apart from Cross-site scripting (XSS) protection/detection Web protection library (WPL) has security runtime engine (SRE) - http module to protect/detect from SQL injection attacks as well. SQL Library is available as a supplemental library setup, you can install it during installation of WPL. Otherwise you install it at later point of time from “C:\Program Files\Microsoft Information Security\Web Protection Library v1.0\SecurityRuntimeEngine \SqlLibInstaller.msi”. It will be installed as Microsoft web protection library v1.0 supplemental libraries. Make sure you have installed the SQL library before proceeding.

SQL injection attempts are detected by analyzing input for SQL queries. If SQL injection is detected, its appropriately logged and the request is rejected.

It performs 3 basic tests using user input.
1. Checks if input is partial SQL where clause.
2. Checks if the input is a partial parameter which has been appended with other SQL clauses.
3. Checks if the input is a full SQL statement.

You just need to configure your web.config file to make use of SQL injection partial protection module. Use security runtime engine configuration editor, open web.config file and add SQL injection partial protection module.

You can add Exclusion paths to exclude SQL injection detection on required pages.

-Syed Aslam Basha ( syedab@microsoft.com )

Microsoft Information Security Tools (IST) Team

Test Lead

---------------------------------------------------------

Please leave a comment if the blog post has helped you.