Best Practices Security Tools Help ISVs Protect Against Web Attacks

Microsoft Security Advisory (954462): Rise in SQL Injectsion Attacks Exploiting Unverified User Data provides advice and tools to protect against a rise in SQL injection attacks. A recent escalation in attacks on Web sites exploits unverified user data input. The attacks target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.

But the vulnerability is not exploited in Web applications that follow best practices to verify user data. The Security Advisory provides phone support for customers in the United States and Canada who may have been affected by the vulnerability. International customers are provided a link where you can get help locally.

The Security Advisory provides an overview of the issues, a section for frequently asked questions, and a series of suggestion actions that includes tools to help idenfify if your site is vulnerable.

• Hewlett Packard provides a free scanner, HP Scrawlr, that can identify whether sites are susceptible to SQL injection. It provides a report pages that are vulnerable along with the associated fields.
• A beta versoin of UrlScan restricts the types of HTTP requests that Internet Information Services (IIS) will process. UrlScan 3.0 installes on IIS 5.1 or later and can be found at URLScan Tool 3.0 Beta.
• You can check your source code with SQL Source Code Analysis Tool to detect ASP code that is susceptible. The tool can be found in Microsoft Knowledge Base Article 954476.
• The Security Advisory also contains additional links to best practices on how to avoid SQL injection attacks, including Coding Techniques for protecting against SQL Injection in ASP.NET and other articles.

To learn more about how you can protect your Web site from SQL Injection, see Microsoft Security Advisory (954462): Rise in SQL Injectsion Attacks Exploiting Unverified User Data.