Microsoft Security Advisory 954462
Rise in SQL Injection Attacks Exploiting Unverified User Data Input
Published: June 24, 2008 | Updated: June 25, 2008
Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.
This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input.
Purpose of Advisory: To assist administrators with identifying and correcting vulnerable ASP and ASP.NET Web application code which does not follow best practices for secure Web application development.
Advisory Status: Microsoft Security Advisory and associated tools were released.
Recommendation: Review the suggested actions and configure as appropriate. It is also suggested that server administrators evaluate the effectiveness of the discussed tools and utilize them as needed.
This advisory discusses the following software:
|Microsoft ASP and ASP.NET technologies|
What is the scope of the advisory?
This advisory is to assist Web site administrators in identifying possible issues with their Web application code being susceptible to possible SQL injection attacks and to provide a stopgap solution to mitigate SQL injection attacks against the server while the applications are being fixed.
Is this a security vulnerability that requires Microsoft to issue a security update?
No. Any Web application code that has followed generally accepted best practices for security is significantly less susceptible to the SQL injection attack. Although this is not a security vulnerability, this advisory was issued to provide additional warning and assistance for administrators with vulnerable sites.
What causes this threat?
Failure to properly validate user input can allow an attacker to inject SQL commands into input fields, which may then execute against a data source leading to database corruption or code execution on the server.
What might an attacker use this function to do?
Attackers may craft an automated attack that can take advantage of SQL injection vulnerabilities in Web pages that do not follow security best practices for Web application development. After compromising the site, an attacker can perform numerous malicious operations on the server, such as deleting a database and redirecting clients browsing to this server to malicious sites that may install malware on the client machine.
Microsoft has identified several tools to assist administrators. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.
Detection – HP Scrawlr
Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr at the HP Security Center.
The tool will be a black-box analysis tool (i.e. no source code required). The user will input a starting URL, and the tool will:
- Recursively crawl that URL for hyperlinks in order to build up a site tree.
- Test all discovered links for verbose SQL injection by sending HTTP requests containing SQL injection attack strings in querystring parameters.
- Examine the HTTP responses from the server for SQL error messages that would indicate a SQL injection vulnerability.
- Report any pages found to be vulnerable to the user, along with the associated input field(s). For example, the tool might report that the fields “username” and “password” on page “foo.asp” are vulnerable.
Defense – UrlScan version 3.0 Beta
UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta.
UrlScan version 3.0 is a tool that will allow you to implement many different rules to better protect Web applications on servers from SQL injection attacks. These features include:
- The ability to implement deny rules applied independently to a URL, query string, all headers, a particular header, or any combination of these.
- A global DenyQueryString section that lets you add deny rules for query strings, with the option of checking un-escaped version of the query string as well.
- The ability to use escape sequences in the deny rules to deny CRLF and other non-printable character sequences in configuration.
- Multiple UrlScan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).
- Configuration (urlscan.ini) change notifications will be propagated to worker processes without having to recycle them. Log settings are an exception to this.
- Enhanced logging to give descriptive configuration errors.
Identifying – Microsoft Source Code Analyzer for SQL Injection
A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.
The Microsoft Source Code Analyzer for SQL Injection is a standalone tool customers can run on their own ASP source code. In addition to the tool itself, there is documentation included on ways to fix the problems it finds in the code it analyzes. Some key features of this tool are:
- Scans ASP source code for code that can lead to SQL Injection vulnerabilities.
- Generates an output that displays the coding issue.
- This tool only identifies vulnerabilities in classic ASP code. It does not work on ASP.NET code.
Microsoft has additional resources to assist administrators with identifying and correcting issues dealing with this exploit.
- Links to other documentation on SQL injection and coding best practices:
Customers in the United States and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses. International customers can receive support by using any of the methods that are listed at Microsoft Help and Support.
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit Microsoft Security Central.
- You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
- Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- June 24, 2008: Advisory published.
- June 25, 2008: Removed erroneous references to form field and cookie value testing from the HP Scrawlr tool description.
Built at 2014-04-18T13:49:36Z-07:00