SQL Injection Attacks Exploiting Unverified User Data Input

Hey Andrew Cushman here.


Today Im pleased to announce the coordinated release of three security tools in Security Advisory 954462 to help customers deal with SQL injection attacks:


·         UrlScan version 3.0 Beta, a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests.

·         Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008), a tool that can be used to detect ASP code susceptible to SQL injection attacks.

·         Scrawlr, a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection. 


Back in the day, I participated in the first release of URLScan as a member of the IIS team. Things are a bit different now than they were back then. Nowadays people applaud IIS excellent security track record and point to it as a poster child of the SDL (Security Development Lifecycle).


Some things are unchanged though. Microsoft teams and partners remain committed to deliver tools and solutions to make it easier for Administrators to protect themselves from mis-configuration and application coding errors.  URLScan v3.0 beta, Microsoft Code Analyzer for SQL Injection and HP Scrawlr continue the tradition of development collaboration. These tools, and the quick turn around by the teams, demonstrate to me the dedication to a more secure computing experience by the SQL Server and IIS teams and our friends at Hewlett-Packard.. 


Special thanks go to Wade Hilmo on the IIS team and Bala Neerumalla on the SQL team.

Wade is the original and sole developer of URLScan. Another great job! Bala is the driving force behind the SQL tool and is responsible for the idea and the realization of it. 

Thanks guys!


Microsoft has posted a number of new related blogs posts. In addition to the SQL and IIS blogs mentioned above, I encourage you to check out the SVRD blog and the SDL blog from my colleagues down the hall.





Director, MSRC


*This posting is provided “AS IS” with no warranties, and confers no rights.*