Microsoft has released an advisory for the recent SQL Injection attacks which points to several tools that will help identify and block these type of attacks. The goal of this blog post is to help our audience identify the best tool depending on their role (i.e. Web Developers vs IT administrators). Currently, there are three tools available which serve different purposes and they complement each other.
Web developers Recommendations
· The Microsoft ® Source Code Analyzer for SQL Injection is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attacked). In order to run this tool you will need source code access and the tool will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view fixing the root cause of the bug is the best way to eradicate vulnerabilities. The tool scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities.
IT/Database administrators Recommendations (Web developers can benefit from this as well)
We are recommending two tools, one can help identify SQL injection vulnerabilities by crawling the website (for example, when access to the source code is not possible) and the other one aims to block potential SQL injection attacks.
· HP Scrawlr, developed by the HP Web Security Research Group, will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities (Microsoft has worked with HP in this effort). Scrawlr uses some of the same technology found in WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in the recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out https://download.spidynamics.com/products/scrawlr/
· Second, in order to block and mitigate SQL injection attacks (while the root cause is being fixed), one can deploy filters using URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. Basically, it uses a set of keywords to block certain requests (i.e. the request will get drop and never processed by SQL) That said, we highly encourage fixing the root cause of the problem instead of attempting on producing a perfect filter that will block all type of attacks (since in our view this is not possible and error prone).
The following table summarizes the pros and cons of these tools.
Microsoft Source Code Analyzer for SQL Injection
Identifies SQL Injection vulnerabilities in ASP code through static code analysis.
Identify the root cause of the bug at the source code level.
This version currently only works on ASP pages
Detect SQL vulnerability by crawling a website.
No source code is required.
Cannot identify the line of code responsible.
UrlScan v3.0 Beta
Blocks the types of HTTP requests that Internet Information Services (IIS) will process.
URLScan filter can be easily deployed to mitigate SQL injection attack while the root cause is being fixed.
Not fixing the root cause, thus the risk has not been eliminated completely.