Microsoft Puts Bull\'s-Eye on SQL Injection Attacks

Tag : injection site

The release of the products comes at a time when news of legitimate Web sites being compromised by SQL injections has become familiar in theheadlines. Microsoft announced these products' availability June 24in a security advisory.
Two of the tools, UrlScan Version 3.0 Beta and Microsoft SourceCode Analyzer for SQL Injection Community Technology Preview, arethe sole fruits of Microsoft. The third, a Web site scanner called HP Scrawlr, was developed by Hewlett-Packard's Web Security Research Group inconjunction with Microsoft.
"We are communicating the availability of three separate toolswhich can help protect individual Web sites from SQL injectionattacks," said Microsoft Security Response CommunicationsManager Bill Sisk. "These free tools offer detection anddefense, as well as identify possible code which may be exploitedby an attacker. Microsoft encourages customers to review theadvisory and follow the recommendation to download these tools fora safer Web site environment."
UrlScan 3.0 works by restricting the types of HTTP requests thatIIS (Internet Information Services) will process in order toprevent potentially harmful requests from reaching the Webapplication on the server. It will install on IIS 5.1 and laterversions, including IIS 7.0, and can be downloaded here.
Microsoft's Source Code Analyzer tool targets ASP source code, examining it for code that can leadto SQL injection vulnerabilities. The tool only identifiesvulnerabilities in classic ASP code, and does not work on ASP.NETcode.