Last September, Errata Security CEO Robert Graham told us in an interview that SQL Injection was a great risk for Web sites based on many open-source tools and on older, pre-.Net Microsoft technologies. Boy, was that ever a prescient interview.
Several months later, as Wired put it, a massive attack hit half a million Windows data-driven Web sites. In fact, it was the data in these sites that got compromised, and they were set by the attack to serve malware and links to malware on top of their actual data. As the Wired blog puts it, the attack was not exactly Microsoft's fault and didn't reflect an actual vulnerability. And subsequent waves of the SQL injection attacks targeted non-Windows servers.
The best way to put it comes from the Graham interview, months before:
"The pre-.Net Microsoft tools in particular were very vulnerable to attack and at the same time very easy to use. You had a lot of people building Web sites with them who really had no clue how to defend themselves from attackers. Since then Microsoft has rearchitected its products and the current generation of .Net tools makes it much more difficult to expose yourself to SQL injection unless you do something really strange."In other words, the old Microsoft tools made it easy to program insecure code. Back in 1998 and 1999 I wrote a bunch of ASP sites which, if any were still alive (thank goodness they're not) would be easily vulnerable. I wrote them the obvious way, by reading input from users of Web forms and constructing SQL commands in VBScript. It's just not a good idea anymore to do it this way, at least not without checking the input.
On June 24, Microsoft released an obviously coordinated group of tools and documents to address the wave of servers compromised through SQL injection that occurred many weeks ago. Better late than never.
A security advisory entitled "Rise in SQL Injection Attacks Exploiting Unverified User Data Input" starts out by defining the problem (SQL injection attacks are being made against ASP sites that don't sanitize inputs) and has lots of good links in it, including to tools about which I will go into some detail below. And then there are links to developer articles about SQL injection and how to avoid it:
- SQL Server Injection Protection
- Preventing SQL Injections in ASP
- How To: Protect from SQL Injection in ASP.NET
- Coding Techniques for protecting against SQL Injection in ASP.NET
- Filtering SQL Injection from Classic ASP
- Security Vulnerability Research & Defense Blog on SQL Injection Attack