Microsoft Security Advisory (954462): Rise in SQL Injection Attacks Exploiting Unverified User Data Input
Published: June 24, 2008 | Updated: June 25, 2008
Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.
Mitigating Factors:
This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input.
Purpose of Advisory: To assist administrators with identifying and correcting vulnerable ASP and ASP.NET Web application code which does not follow best practices for secure Web application development.
Advisory Status: Microsoft Security Advisory and associated tools were released.
Recommendation: Review the suggested actions and configure as appropriate. It is also suggested that server administrators evaluate the effectiveness of the discussed tools and utilize them as needed.
This advisory discusses the following software: Microsoft ASP and ASP.NET technologies.
Suggested Actions
Microsoft has identified several tools to assist administrators. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.
• Detection – HP Scrawlr
Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr at the HP Security Center.
Detailed description:
The tool will be a black-box analysis tool (i.e. no source code required). The user will input a starting URL, and the tool will:
• Recursively crawl that URL for hyperlinks in order to build up a site tree.
• Test all discovered links for verbose SQL injection by sending HTTP requests containing SQL injection attack strings in querystring parameters.
• Examine the HTTP responses from the server for SQL error messages that would indicate a SQL injection vulnerability.
• Report any pages found to be vulnerable to the user, along with the associated input field(s). For example, the tool might report that the fields “username” and “password” on page “foo.asp” are vulnerable.
• Defense – UrlScan version 3.0 Beta
UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta.
Detailed Description:
UrlScan version 3.0 is a tool that will allow you to implement many different rules to better protect Web applications on servers from SQL injection attacks. These features include:
• The ability to implement deny rules applied independently to a URL, query string, all headers, a particular header, or any combination of these.
• A global DenyQueryString section that lets you add deny rules for query strings, with the option of checking un-escaped version of the query string as well.
• The ability to use escape sequences in the deny rules to deny CRLF and other non-printable character sequences in configuration.
• Multiple UrlScan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).
• Configuration (urlscan.ini) change notifications will be propagated to worker processes without having to recycle them. Log settings are an exception to this.
• Enhanced logging to give descriptive configuration errors.
• Identifying – Microsoft Source Code Analyzer for SQL Injection
A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.
Detailed Description:
The Microsoft Source Code Analyzer for SQL Injection is a standalone tool customers can run on their own ASP source code. In addition to the tool itself, there is documentation included on ways to fix the problems it finds in the code it analyzes. Some key features of this tool are:
• Scans ASP source code for code that can lead to SQL Injection vulnerabilities.
• Generates an output that displays the coding issue.
• This tool only identifies vulnerabilities in classic ASP code. It does not work on ASP.NET code.
Full Advisory/source: Microsoft TechNet
Note: these SQL Injection Attacks have to be considered as extremely dangerous.
Smokey
June 29, 2008 Posted by Smokey | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | asp.net, exploits, HP Scrawlr, IIS, Microsoft Security Advisory (954462), Microsoft Source Code Analyzer for SQL Injection, sql injection attacks, URLScan Tool 3.0 Beta, Vulnerabilities | Leave a comment
Introduction
__________________________________________
Text from the song Spark by Amy Macdonald
I am the light in the dark
I am the march
I am the spark
Just dry your tears and I’ll be there
Don’t live for anger all this pain
Don’t worry, I’m ok, I’m ok now
Always in our hearts – R.I.P. Donna Buenaventura
__________________________________________
.
Welcome to Smokey’s Security Weblog!
Let’s introduce myself: my (nick)name is Smokey aka Smokey Bear.
Like my board Smokey’s Security Forums, this blog is mainly devoted to Security and all related issues. However, other issues like e.g. major occurances on my forum and social topics will be blogged too.
My board offer free security and malware related Support, Help, Advice and Education forums, however is not limited to such issues. Smokey’s have also forums with comprehensive Microsoft Windows related issues like Microsoft and Windows OS Based Products News, MS Download Center, MSDN Developer Information, software reviews, browser and tools forums, Webware, Social Networks info, Hardware- and Gadgets forums and last but not least a dedicated Windows Drivers, Linux Drivers, Firmware and BIOS Survey & Updates section containing (recently) released Drivers, Firmware and BIOSses, Windows 7 releases included. Note: most info on Smokey’s is real-time and therefore always up-to-date.
As extra service we have a OTL (formerly OTListIt2) Log Analyzing and Malware Removal/Cleaning Help Forum, full qualified OTL Log Analysers/Malware Hunters will be pleased to help you for free to clean your malware infected PC.
Smokey’s host and maintain the Official Jetico Inc. Support Forums, including the following products:
– Jetico Personal Firewall V1
– Jetico Personal Firewall V2
– Jetico BestCrypt for Windows
– Jetico BestCrypt for Linux
– Jetico BestCrypt for Mac
– Jetico BestCrypt Volume Encryption
– Jetico BCArchive
– Jetico BCWipe for Windows
– Jetico BCWipe for UNIX
Disclaimer: information in this blog can be based on (not confirmed) statements of (anonymous) sources, Smokey’s Security Weblog don’t take any responsabilty for the credibility of these sources and their statements. Also, statements and opinions expressed in articles, reviews and other materials herein, reproduced by me, are those of the authors.
The posts/articles in this blog can be supplemented with so called “Possibly related posts” links. Because these links are automatically generated by WordPress.com, Smokey’s Security Weblog have no influence on the links itself and/or content of them. Therefore this Weblog don’t take any responsability for these links and all related issues.
About Copyright and this Blog: it is allowed to reproduce (parts of) posts in this blog if this reproduction is provided with a direct link to the original blog post. It is NOT allowed to copy, use and/or reproduce any image or blog banner.
Blog comments policy: to restrain indecent and off-topic comments and spam, comments are reviewed before publishing. Therefore, delay in comment publishing is unavoidable. Obligatory language of comments is English.
.
My main task
* Smokey’s Choice Awards *
Smokey's 2011/2012 Choice Awarded software, Highly Recommended by Smokey and Staff *avast! Mobile Security Android* *F-Secure Internet Security 2012* *Malwarebytes Anti-Malware* *Norton Internet Security 2012* *VIPRE Internet Security 2012* *WinPatrol 'Scotty'*** Smokey’s Hall of Shame **
2008 - 2011: *Matousec's Firewall Challenges* 2009 - 2011: *Trend Micro Incorporated*
2009 - 2011: *HP - Hewlett Packard Company*Recommended: Free network protection with OpenDNS
Recommended: F-Secure PC Health Check
Recommended: Dr.Web CureIt! Free Malware Scan
Recommended: Kaspersky Online Antivirus Scan
Recommended: Online Safe Password Generator
Weblog Top Posts
- Matousec and his Firewall Challenges Hall of Shame 2008/2011 Awardee
- Trend Micro is Smokey's Security Weblog 2009/2011 Hall of Shame Awardee
- HP (Hewlett-Packard Company) Smokey's Security Weblog 2010/2011 Hall of Shame Awardee
- RIP ASAP - Alliance of Security Analysis Professionals: 2004-2013
- Ad Muncher ad- and poupup blocker will become completely free for everyone shortly
Weblog Top Clicks
- None
Recent Comments
- Aravind on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Rajiv Bhalla on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- POOJA AGARWAL on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Antony on Review Updated 2015 MateGo MG380G Full HD – SONY CMOS sensor – built-in-GPS Dashcam Car DVR
- DevonW on Review Updated 2015 MateGo MG380G Full HD – SONY CMOS sensor – built-in-GPS Dashcam Car DVR
Weblog Archives
- May 2017 (1)
- January 2016 (1)
- October 2015 (1)
- June 2015 (1)
- May 2015 (1)
- March 2015 (2)
- June 2014 (1)
- May 2014 (1)
- April 2014 (1)
- March 2014 (1)
- August 2013 (1)
- May 2013 (1)
- January 2013 (4)
- December 2012 (1)
- August 2012 (1)
- July 2012 (1)
- June 2012 (1)
- February 2012 (2)
- December 2011 (2)
- October 2011 (2)
- May 2011 (3)
- April 2011 (2)
- December 2010 (5)
- September 2010 (1)
- August 2010 (2)
- July 2010 (1)
- June 2010 (1)
- May 2010 (1)
- April 2010 (2)
- March 2010 (2)
- February 2010 (2)
- January 2010 (3)
- December 2009 (7)
- November 2009 (5)
- October 2009 (2)
- September 2009 (1)
- August 2009 (3)
- July 2009 (3)
- June 2009 (2)
- May 2009 (10)
- April 2009 (6)
- March 2009 (2)
- February 2009 (3)
- January 2009 (7)
- December 2008 (14)
- November 2008 (13)
- October 2008 (8)
- September 2008 (7)
- August 2008 (12)
- July 2008 (14)
- June 2008 (13)
- May 2008 (10)
- April 2008 (31)
- March 2008 (21)
Smokey’s is Friend of WOT – Web of Trust
Keywords Smokey's Security Weblog
Smokey’s Weblog Google FeedBurner
Smokey’s Weblog Email Subscription Request
Add Smokey’s Weblog to your Technorati Favorites
Sunbelt Blog
- An error has occurred; the feed is probably down. Try again later.
AV-Comparatives Blog
- An error has occurred; the feed is probably down. Try again later.
Giveaway of the Day: commercial software for FREE
Advertisement: Link Logger from Binary Visons
Your IP and location
Blog Visitor Statistics