Monday, November 29, 2010

Blocking Automated SQL Injection Attacks

SQL injection attacks have been increasing over the last three years, mainly because of automated tools. Since these automated attacks were first noticed in December 2007, very little has changed in the way that they work. Attackers use automated tools to query search engines for interesting URLs and then submit various SQL injection payloads to each. The goal is to inject malicious JavaScript into all string columns in SQL database tables.

Microsoft has provided guidance (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) and some tools (www.microsoft.com/technet/security/advisory/954462.mspx) to combat these attacks. Microsoft has also started tracking these automated SQL injection attacks during the last one year and provides the information in the Microsoft® Security Intelligence Report.

Today I would like discuss another technique that one can use to block automated SQL injection attacks against web applications that use Microsoft SQL Server® as the back-end processor. (Note: These attacks exploit vulnerabilities in web applications; there are no known security vulnerabilities in Microsoft SQL Server). Before I describe the technique, I would like to reiterate that using parameterized queries is the best way to mitigate SQL injection vulnerabilities in web applications. You can read this Quick Security Reference: SQL Injection that details various classes of SQL injection vulnerabilities and how to address them in the design, development, and testing phases.

Source : Microsoft Security Tips