You can use HP Scrawlr, URLScan, or Microsoft Source Code Analyzer for SQL Injection to search your website and SQL Server database for vulnerabilities that could put your environment at risk for a SQL injection attack. You can prevent SQL injection attacks by filtering entry fields on your web pages so that users can only type certain values in the entry field. Designing and developing your application with security in mind can also help prevent SQL injection attacks.
Earlier this year, there was a noticeable upsurge in the number of SQL injections attacks perpetrated against users of Microsoft technologies. SQL injection is common technique that exploits unfiltered entry fields on a web application. For example, let’s say you have an application that lets users enter their first and last name in separate entry fields on a web page. A typical user might enter Bob, Savannah, or Nguyen in an entry field. However, a malicious user might enter “Robert'); DROP TABLE students;--,” which would wreak havoc in the application. This type of attack is called a SQL injection attack because the attacker has appended, or injected, an SQL statement into the entry field.
Protect Your ASP and ASP.NET Applications
SQL injection attacks don’t occur on only SQL Server databases backing ASP and ASP.NET front-end applications; they can also occur on PHP applications with MySQL back ends and Java applications with Oracle back ends. All database platforms are vulnerable to SQL injection attacks. You can prevent such attacks by filtering entry fields on your web pages so that only allowable values are permitted.
Because of the upsurge in SQL injection attacks, Microsoft has published an important security advisory that points to the following three important tools that you can use with your ASP and ASP.NET applications to prevent SQL injection attacks:
- URLScan—This security tool actively restricts the kind of HTTP requests that Microsoft IIS will process. URLScan isn’t a substitute for properly programming a web application, but it can prevent some potentially harmful requests from reaching the web application and SQL Server. It works on IIS 5.1 and later, including IIS 7.0 for Windows Server 2008.
- Microsoft Source Code Analyzer for SQL Injection—This command-line tool analyzes your static ASP source code written in VBScript (not ASP.NET) and reveals possible vulnerabilities to SQL injection attacks. The tool then generates a report detailing the vulnerabilities it detected and possible remedies.
Design and Develop Applications with Security in Mind
Although each of these tools can help prevent an attacker from penetrating and damaging your website and SQL Server database, none of them are as effective as designing and developing your application with security in mind. SQL injection is an old style of hacking websites, and it’s quite easy to prevent when value checks are written into the code from the beginning. For more information about preventing SQL injection attacks,I recommend reading "Hack Your Database Before the Hackers Do," May 2008, to learn more about how to protect your websites and databases from SQL injection attacks. MSDN also offers many articles on that topic.