Microsoft and HP tackle SQL-injection scourge
A modest proposal
With successful attacks against websites reaching epidemic levels, Microsoft and HP have released a free set of tools that help developers check their web applications for the mistakes that leave them open to exploits that can steal sensitive information and harm visitors.
The tools are designed to scan websites for vulnerabilities to so-called SQL injection attacks. Over the past six months, millions of web pages, some belonging to Fortune 500 companies or government agencies, have fallen prey to the attacks. As a result, unsuspecting visitors are directed to websites that silently try to install key loggers and other types of malware.
SQL injection attacks have proved hard to stop because they aren't perpetrated on any specific software platform. Rather, they target shoddy coding practices that fail to scrutinize user-supplied input for malicious code before passing it to web applications. ASP, PHP and CGI have all been known to be affected.
The tools come as ScanSafe, a company that monitors websites for malicious behavior, reports a new wave of SQL-injection attacks that harnesses infected PCs to search out and attack vulnerable websites. Sites that are compromised, in turn, install backdoors on visitors' machines, creating a worm-like characteristic.
The so-called Asprox attacks are distinct from a recent swarm of SQL attacks that over the past few months have hit the public information site for the Phoenix Mars Lander, the Wal-Mark, the Department of Homeland Security and the UK's Civil Service. The entry of Asprox suggests other malware gangs may be adopting the technique after seeing the success of their competitors.
That's where the new tools come in. Developers can use them to check their web apps for some of the most common mistakes. One tool is called Scrawlr and is a slimmed down version of an HP tool known as WebInspect. It scans websites for SQL-injection vulnerabilities by mimicking some of the most common attack methods.
A second is known as URLScan version 3.0 Beta, which blocks certain types of HTTP requests from being processed by Microsoft's Internet Information Services (IIS). That helps prevent potentially harmful requests from reaching the Web application that are downstream.
The third tool is a source code analyzer that detects ASP code that's susceptible to SQL-injection attacks.
Not everyone traveling in security circles has taken a liking to the new release. Mike Tracy, writing on the Matasano Chargen blog, questions whether two of the apps would be better dubbed "Half-Baked Code Analyzer" or "Web Application Firewall Lite" - the implication being they are too limited to be of any real benefit.
There's no doubt that these tools are no substitute for a more in-depth security posture that every website ought to have. But what the critics seem to be missing is that given the literally millions of pages that already have been marred, SQL injections could become the web equivalent of the bubonic plague. It's time for all of us to roll up our sleeves and do what we can. Microsoft and HP's release is a good start. ®
This story was updated to correct the name of the HP product from whence Scrawlr came. The commercial HP product is known as WebInspect.
Easy fix for SQL Injection
Ok, I admit to writing bad code not fully verified and I have so many fields all over the place that it will be a really long winded thing to walk through all compiled code/perl code etc and lock it all down.
Easy fix is Run Apache with mod security enabled - mod security will catch out SQL injection and not return anything back to user.
I have made some docs on how to enable it here
Re: So, if it's easy to code against why does no one provide the solution here?
Remember 3 words:
Treat all input data is evil. If you limit the number of characters accepted for each item of input data, sanitize it, perhaps to accept only alphanumerics, and validate against a regular expression or list of acceptable data, you're pretty well home and dry.
Managers are only interested in getting a product out the door. Security minded developers are more interested in stopping the company from hitting the national press with the latest ID theft story. Which do you think is more important?
Love heart because this stuff keeps me in a job.
@1st Anonymous coward
Since you so desperately seem need one, here's a free clue, but first the disclaimers:
I am not a DB.
My work doesn't even involve real programming. The last programming I did was in college over 20 years ago. But I still recall this example from my very first computer class, run on the venerable TRS-80 III from Radio Shack, in the kludge language of Basic.
Now, here's your free clue:
10 Dim Pay=float
20 Dim Cost=float
30 Dim Change=float
40 Printscreen (How much did it cost?)
50 Input Cost
60 Printscreen (How much are you paying?)
70 If Cost> Pay then goto 60
80 Input Pay
100 Print screen (Your change is);Change;(.)
There were also some formatting commands which I have since forgotten. The program returns an invalid answer if the valid input values are 5.00 and 4.95. BASIC can't handle the error, the programmer (read Developer in your case) is responsible for the problem. Even I comprehend that SQL injections are a more complicated instance of this problem. And in this example BASIC would be your Web Server.
Okay, so I fudged the variable names for clarity. BASIC on the TRS-80 only allowed two characters for variable names.