News

Developers Can Fight Back

Three new tools let programmers examine application code for SQL-injection vulnerabilities.

• By John K. Waters
• 07/15/2008

After months of warnings about new SQL-injection attacks, there's help for developers looking to fight back.

Microsoft has released two free tools designed to help Web developers and site administrators ferret out the flaws in their existing code before the attackers do, and the company has partnered with Hewlett-Packard Co. to provide a third line of defense.

The three tools -- URLScan 3.0, Microsoft Source Code Analyzer for SQL Injection and SQL Injector and Crawler (Scrawlr) -- take on the problem from different angles.

URLScan is not a new tool, but the 3.0 release comes with specific features for circumventing SQL-injection attacks. It installs as a filter on Internet Information Services (IIS), which looks at incoming HTTP requests in real time, explains Bryan Sullivan, security program manager in Microsoft's Trustworthy Computing Group. It can then prevent potentially harmful requests from reaching the server, Sullivan says. Version 3.0 works on a "blacklist" capability, looking for parts of the input that would appear to be part of a SQL-injection attack. It notices certain keywords and requests, flags them as suspicious and blocks the request. URLScan 3.0 will install on IIS 5.1 and subsequent versions.

Microsoft Source Code Analyzer for SQL Injection is a brand-new tool developed shortly after Microsoft issued its first guidance notes -- which can be found here -- on the SQL-injection epidemic in May. The new tool is aimed at analyzing "classic" Active Server Pages (ASP) source code, Sullivan says.

"There are a lot of analysis tools out there for ASP.NET," he adds, "but no one has given much love to classic ASP for a while. I doubt it's still in active development, but there are still a lot of ASP sites on the Web."

The Source Code Analyzer is a static dataflow-analysis tool designed to discover SQL-injection vulnerabilities in ASP code, particularly those listed in a Microsoft guidance article entitled "Preventing SQL Injections in ASP". It looks at ASP code for potential SQL-injection vulnerabilities, both first- and second-order, and points the developer to the exact line of source code where the error occurs.

Going for ASP Code
Many of the recent SQL-injection attacks -- but not all of them -- have, in fact, targeted early-stage, legacy Web apps built on ASP, Microsoft's first server-side script engine for dynamically generated Web pages, observes Dr. Chenxi Wang, principal analyst in the Security and Risk Management Group at Forrester Research Inc.

"This isn't a new animal," Wang says, "but it's a new attack strategy. In the old days, the attackers would look for a Web site and then launch an attack. Nowadays, the attackers are using Google search to find these old ASP apps. Google search is a powerful tool, and the search query results provide a lot of information. It makes it a lot easier to identify lots of vulnerable sites in one swoop."

"A lot" is right: This wave of SQL-injection attacks -- which began in January, seemed to break in April but then rose again in May -- has compromised approximately 500,000 Web sites, Wang estimates.

"This is something [the attackers] certainly could have done, say, last year, but someone figured this out this year, and so we have this wave of attacks," Wang adds.

The third tool, Scrawlr, was released by HP at the same time Microsoft rolled out URLScan and Source Code Analyzer. It's a black-box analysis tool, which means that it doesn't require access to source code to do its job. Developers point Scrawlr at a Web application's URL and the tool crawls over it, analyzing the app for SQL-injection vulnerabilities.

Sullivan, who just joined Microsoft in January from HP, was a security researcher at SPI Dynamics, which HP acquired last year. "We had the filtering tool in URLScan and the source-analysis tool, but we also wanted a black-box solution," Sullivan says. "I knew my former colleagues at SPI Dynamics had the knowledge to make that happen in a great tool in a short amount of time." Scrawlr was developed by HP's Web Security Research Group, working in conjunction with Microsoft.

Defense for Developers These three new offerings are designed to help programmers ward off SQL injections: URLScan 3.0 Installs as a filter on Internet Information Services and looks at incoming HTTP requests in real time Prevents potentially harmful requests from reaching the server Offers "blacklist" capability: looks for input that would appear to be part of a SQL-injection attack Microsoft Source Code Analyzer for SQL Injection Analyzes "classic" ASP source code Discovers SQL-injection vulnerabilities Points developers to the exact line of source code where an error occurs Hewlett-Packard's SQL Injector and Crawler (Scrawlr) Developed by SPI Dynamics, which was acquired by HP last year Black-box analysis tool that doesn't require access to source code Developers point to an app's URL and the tool crawls, analyzing for SQL-injection vulnerabilities -- J.K.W.

Not a Cure-All
Gartner Inc. analyst John Pescatore applauds Microsoft and HP for acting quickly to provide these security solutions, but he warns that they're likely to be too lightweight for large organizations, which are better advised to look at enterprise-weight solutions like IBM's WatchFire, HP's SPI Dynamics and products from Fortify Software Inc.

SQL-injection attacks are a subset of what are called "command-injection attacks," Pescatore points out, where the attacker executes unauthorized SQL commands by taking advantage of insecure code. Command-injection attacks are used to steal information or to gain access to an organization's host computers through the machine that's hosting the database. And they're mostly avoidable, Pescatore says: "Nearly 90 percent of the SQL-injection problem is the result of insecure coding practices," he says.

Wang has a more favorable view of these tools than Pescatore. "They're very lightweight and fast," she says. "They're designed to help you discover whether your Web site is vulnerable right now." But she agrees that the ultimate solution will come from the proliferation of secure coding practices. And both analysts praise Microsoft for publishing and supporting its Secure Development Lifecycle (SDL). Gartner pointed to the SDL when it recently declared Microsoft to be leading the industry in promoting better coding practices. Microsoft has made the details of the SDL process, version 3.2, available online. The company is currently employing SDL 4.0 in-house, and version 4.1 is now in beta, Sullivan says.

"We've applied the SDL to our big-box products," he says. "And the results have been phenomenal. We've already been using SDL for our online services, and it's dramatically reducing vulnerability rates."