Microsoft is promoting newly released freeware to help IT pros
put up a fight against SQL injection attacks.
The release of the products comes at a time when news of legitimate
Web sites being compromised by SQL injections has become familiar in the
headlines. Microsoft announced these products' availability June 24 in a
security advisory.
Two of the tools, UrlScan Version 3.0 Beta and Microsoft Source Code
Analyzer for SQL Injection Community Technology Preview, are the sole fruits of
Microsoft. The third, a Web site scanner called HP
Scrawlr, was developed by Hewlett-Packard's Web Security Research Group in
conjunction with Microsoft.
"We are communicating the availability of three separate tools which
can help protect individual Web sites from SQL injection attacks," said
Microsoft Security Response Communications Manager Bill Sisk. "These free
tools offer detection and defense, as well as identify possible code which may
be exploited by an attacker. Microsoft encourages customers to review the
advisory and follow the recommendation to download these tools for a safer Web
site environment."
UrlScan 3.0 works by restricting the types of HTTP requests that IIS (Internet
Information Services) will process in order to prevent potentially harmful
requests from reaching the Web application on the server. It will install on
IIS 5.1 and later versions, including IIS 7.0, and can be downloaded here.
Microsoft's
Source Code Analyzer tool targets ASP source code, examining it for code
that can lead to SQL injection vulnerabilities. The tool only identifies
vulnerabilities in classic ASP code, and does not work on ASP.NET
code.