The MSRC released an advisory today that discusses the recent SQL injection attacks and announces three new tools to help identify and block these types of vulnerabilities. The advisory discusses the new tools, the purpose of each, and the way each complements the others. The goal of this blog post is to help you identify the best tool to use depending on your role (i.e. Web Developers vs. IT administrators).
Web Developers Recommendations
- The Microsoft Source Code Analyzer for SQL Injection (MSCASI) is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view, fixing the root cause of the bug is the best way to eradicate vulnerabilities. MSCASI scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities. Please refer to the SQL team’s blog and KB 954476 for more details.
IT/Database Administrators Recommendations (as well as Web developers)
We are recommending two of the new tools announced today. One can help identify SQL injection vulnerabilities by crawling the website. The other one aims to block potential SQL injection attacks by filtering malicious requests. The website crawler will be useful if you don’t have access to the source code.
- Microsoft worked with the HP Web Security Research group to release the Scrawlr tool. The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out the HP Web Security Research blog.
- In order to block and mitigate SQL injection attacks (while the root cause is being fixed), you can also deploy SQL filters using a new release of URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests. If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, we highly encourage you to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone). Please refer to one of the two IIS blog posts (1, 2) and the technical documentation
for more details.
The following table summarizes the pros and cons of these tools.
|MSCASI||Identifies SQL Injection vulnerabilities in ASP code through static source code analysis.||Identify the root cause of the bug at the source code level.||This version currently only works on ASP pages.||Web developers|
|Scrawlr||Detect SQL vulnerability using runtime analysis by crawling a website.||No source code is required.||Cannot identify the line of code responsible.||IT/DB Administrator,Web developers|
|UrlScan v3.0 Beta||Runtime filtering that blocks the types of HTTP requests that Internet Information Services (IIS) will process.||URLScan filter can be easily deployed to mitigate SQL injection attack while the root cause is being fixed.||Not fixing the root cause, thus the risk has not been eliminated completely.||IT Administrators|