Securing Against SQL Injection
Anything that can be done to make it easier to build more secure applications has to be a good thing. I spotted that yesterday we announced three new tools to help protect and identify potential SQL injection issues with ASP.NET and classic ASP applications.
- HP Scrawlr
- A black-box analysis tool that can be pointed at a site which is then scanned for potential SQL injection vulnerabilities by building a site map and sending HTTP requests with attack strings then examining the responses for messages that might indicate a vulnerability
- UrlScan version 3.0 Beta
- A request "filtering" tool for IIS that can block specific types of requests so they will never be processed
- Microsoft Source Code Analyzer for SQL Injection
- Scans your classic ASP source to find code susceptible to SQL injection attack
More details on all of these can be found in Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input.
