Thread: Prevent SQL Injections
View Single Post
  #1 (permalink)  
Old 30-09-2008, 02:22
Rock's Avatar
Rock Rock is offline
System Administrator (eUKhost.com)
  
Join Date: Dec 2006
Location: localhost
Posts: 2,494
Send a message via MSN to Rock
Smile Prevent SQL Injections
"Microsoft jumps into filtering SQL Injection Attacks" -- That definitely sounds to be great news !!!

Nowadays, almost all the websites are under the threat of SQL injection attacks. SQL-injection attacks with various attack patterns have become a worldwide headache in the web hosting industry, commonly affecting Web sites built using Microsoft's popular ASP or ASP.NET code, or code enabling dynamic Web sites. To those who aren't aware of such an attack, here's a small desc, it's a direct attack made on SQL web hosting servers by means of malicious code in a query strings, which is passed to SQL Server through an internet app. If the right safeguards are not in place, the code can be executed by Microsoft SQL Server, causing havoc on the web site's back-end..

UrlScan 3.0 is an improved security filter recently released by Microsoft for the IIS web server (Internet Information Service) to help resist SQL Injection attacks. It's a free addon tool to IIS that provides verification of user requests & analyzes real-time verification of HTTP web server requests thus potentially blocking malicious code & harmful requests from being processed by web applications on the server & causing any sort of damage to the SQL database..

UrlScan helps users/developers to prevent the SQL injection attack from hackers, by guiding them into verifying their code & queries, which is meant to be executed by the web applications. The major & important improvement in UrlScan 3.0 is that it supports the query string scanning, where previous versions failed to do so. The old versions did not examine the query string in the web server request but blocked server requests based on aspects such as URL string length instead...which wasnt much useful..

UrlScan 3.0, which uses W3C-formatted logs for ease of analysis, not only scans the URL string but has an added ability to do filtering based on the query string passed through the scripts.

There are certainly more goodies bundled with the much improved security filter, such as ability to create more granular rules that can be targeted to specific types of requests. ie: you can write rules that only apply to ASP or PHP pages, which was never available in any previous versions, earlier they were one for all, which were a bit difficult to write/code. One more feature of specifying a safe list of URLs and query strings that can bypass UrlScan checks is an added advantage for programmers & web developers.

You can get UrlScan 3.0 from :
32-bit = http://www.microsoft.com/downloads/d...displaylang=en
64-bit = Download details: UrlScan v3.0 (x64)

What should the software developer do to build security efficient code ?

UrlScan can only be used in protecting the server its installed on & won't help much in serious Web security. Security needs to be enforced in the Web application itself.. The application running on the server is the only piece of code that actually knows what the SQL query is intended to do. So the fix for the root cause is for application developers to go in and do the validation and make sure that the SQL data that they're sending to the SQL Server is what they intend to.

Here are the 6 golden rules to which the developers should adhere to before developing applications using ASP/ASP.Net with MSSQL, as these are the concerning areas where loopholes are sure to occur if ignored..
Quote:
Coding Standard
Coding must be up to a standard and strict guideline to be observed & applied here. Poor quality coding can create loopholes which are more vulnerable to the system.

Validating Input
There must be a verification and validation of data input so the attacker cannot confuse the system in any way..

Common Errors
This is the area where simple mistakes can cause loopholes unknowingly.. Normally due to debugging process this can be controlled but still due concern in this area is needed.

Autonomy
Autonomous systems working together across networks need to be aware of each others' state of operation. If attackers can find loopholes to exploit differences in state, distributed applications can be compromised.

Integrity of Application programming interfaces
API or Application Programming Interfaces are ways to access software functions. If you access such features in unexpected ways, you can create security loopholes.

Encryption and Authentication
Encryption and Authentication are two areas where loopholes can occur and later will be damaging to the whole system..
Software development is a process in which each and every aspect is a concern. When it comes to security it becomes the priority of software management team because a single flaw can ruin the development process..causing wastage of man-power resources, money & time, which is most valuable..

Remember, "Prevention is better than cure", let the bug be cured before it affects.. I hope this helps the folks...
__________________

Rock _a.k.a._ Jack L.
Windows Hosting || Windows Reseller Hosting
Cloud Hosting 100% UPTIME! || Powerful Dedicated Servers
Follow eUKhost on Twitter || Join eUKhost Community on Facebook
Reply With Quote