Microsoft Puts Bull's-Eye on SQL Injection Attacks

Microsoft is pushing freeware to help combat SQL injection attacks.

Microsoft is promoting newly released freeware to help IT pros put up a fight against SQL injection attacks.

The release of the products comes at a time when news of legitimate Web sites being compromised by SQL injections has become familiar in the headlines. Microsoft announced these products' availability June 24 in a security advisory.

Two of the tools, UrlScan Version 3.0 Beta and Microsoft Source Code Analyzer for SQL Injection, are the sole fruits of Microsoft. The third, a Web site scanner called HP Scrawlr, was developed by Hewlett-Packard's Web Security Research Group in conjunction with Microsoft.

"We are communicating the availability of three separate tools which can help protect individual Web sites from SQL injection attacks," said Microsoft Security Response Communications Manager Bill Sisk. "These free tools offer detection and defense, as well as identify possible code which may be exploited by an attacker. Microsoft encourages customers to review the advisory and follow the recommendation to download these tools for a safer Web site environment."

UrlScan 3.0 works by restricting the types of HTTP requests that IIS (Internet Information Services) will process in order to prevent potentially harmful requests from reaching the Web application on the server. It will install on IIS 5.1 and later versions, including IIS 7.0, and can be downloaded here.

Microsoft's Source Code Analyzer tool targets ASP source code, examining it for code that can lead to SQL injection vulnerabilities. The tool only identifies vulnerabilities in classic ASP code, and does not work on ASP.NET code.