Saturday, July 12, 2008

Slam these SQL Injection Attacks!

In January 2003, the Microsoft SQL Server community got a massive wake-up call. The SQL Slammer hit the internet. This denial-of-service virus brought down many database servers including those at Bank of America and Microsoft itself. The solution was to apply SQL Server 2000 SP3 which by pure coincidence had been released 10 days earlier. The actual hotfix had been available for 6 months or more but in those days many DBAs just waited for the next Service Pack. Big mistake! Attacks like this prompted Bill Gates to launch the Trustworthy Computing initiative and current project plans were elongated by 3 months to allow product teams to focus on security. Products under development included Windows Server 2003, Exchange 2003 and SQL Server 2005 - they all benefited from this "strategy".

But what about SQL Injection attacks?

SQL Injection attacks take advantage of poorly coded applications by submitting hidden code "injected" into a seemingly harmless piece of code. The solution is to make sure input fields from an application are fully validated including checking for special characters before they are used in SQL commands. Recently, this vulnerability has emerged in many ASP applications so Microsoft have produced a utility that will check ASP code for potential vulnerabilities.

Microsoft Source Code Analyzer for SQL Injection:

Check it out!

No comments: