Microsoft gets more pro-active against SQL injection attacks
Turning up the volume on its vigilance against perhaps the easiest exploit in the world, Microsoft yesterday unveiled a new beta of an overdue security tool for IIS 7, bolstered by two new SQL injection vulnerability seeker tools.
Last April, the vulnerability spotlight was turned once again on Microsoft, as it found itself answering charges that it had enabled a "wave" of SQL injection attacks on Web servers running Internet Information Services, typically in conjunction with Microsoft SQL Server. It turned out not to be a wave after all, but Microsoft turned up the heat anyway, unveiling yesterday a new set of tools for combating SQL injection problems, including the latest beta of its ISAPI query filtering tool.
UrlScan 1.0 was first released in September 2001 as Microsoft's first line of defense against potentially maliciously crafted SQL queries that, when run unchecked, can wreak havoc on a Web server's database infrastructure. Version 2.5 was unveiled last year, but it was primarily tailored for IIS 6.0.
But it's IIS 7.0 that began rolling out late last year, and is now an integral part of Windows Server 2008. That version has a radically modified communications infrastructure, now based on Windows Communication Foundation. The key system driver, http.sys, can handle Web requests very differently, so it's high time that Microsoft introduce an updated UrlScan tailored for IIS 7.
As Microsoft has continually warned from the beginning and which its developers repeated yesterday, UrlScan is not a catch-all for every possible SQL injection attack. Rather, it presents the administrator with a rich set of controls for setting the boundaries of certain features that can be invoked through a SQL query. One exploit that UrlScan has historically been effective with involves the pairing of malicious SQL queries with HTTP requests that involve the use of WebDAV, an authoring and versioning protocol originally designed as an extension to HTTP for enabling collaborative documents. It's still a useful protocol unless your Web site doesn't actually use it, in which case, UrlScan can help you filter WebDAV out. If you do use WebDAV, there are ways UrlScan can help detect typical signs of WebDAV exploits, while letting legitimate requests pass.
BETACHECK
For more:
"SQL Injection Attacks by Example" by Steve Friedl, a brilliant but straightforward essay demonstrating exactly how a typical SQL injection attack is carried out.
"Using UrlScan" -- Updated documentation from Microsoft on setting up and running the UrlScan 3.0 beta with IIS 7.0.
This Microsoft white paper on UrlScan 2.5 (still the current release version) goes into explicit detail on many of these settings, including WebDAV controls. However, it makes the point that more direct control of WebDAV functionality was added to IIS 6.
Installing UrlScan is not an instantaneous affair, and should not be done like some consumer anti-virus program. There are steps which should be undertaken in advance to prepare IIS 7 for the change, which are outlined in this documentation released yesterday.
In addition, Microsoft also released a community technology preview of a new source code analyzer that can detect elements of ASP.NET source code that may be vulnerable to SQL injection attacks. And Microsoft also announced it had teamed up with HP to develop and deliver a Web site crawling tool that examines Web pages for potential holes.
"Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual Web page for SQL Injection vulnerabilities," reads a blog post from HP's security laboratory yesterday. "Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names."