Manufacturers using Microsoft’s Active Server Page technology – Microsoft’s server-side script engine for dynamically-generated Web pages – are being warned to be watch out for SQL Injection attacks.
“Although Microsoft ASP is a powerful component in the Windows 2000 Server stable, it seems that hackers have latched on to the fact that many companies have created poorly-written web code that interfaces with their web sites’ back-end database,” explains Rob Rachwald, director of product marketing at application vulnerability security specialist Fortify Software.
“This means that, although the Microsoft Security Response Centre is aware of the problem, it’s not something it can issue a patch for. As a result, large numbers of ASP-enabled web hosts are being hit by SQL injection attacks,” he says.
Microsoft has released a source code analyser, but the slightly bad news is that it only works with ASP Classic code and, even then, is only capable of detecting SQL Injection issues, and not a lot else.
“All is not lost, however, as Microsoft has released a short-term fix in the form of a utility that performs SQL filtering, like a web application firewall,” he adds. “This functions in a similar manner to our real-time analysis technology, although users should be aware that it only blocks specific HTTP requests to prevent potentially harmful SQL requests from being executed on the server. Our RTA technology, on the other hand, blocks SQL Injections and much more.” he asserts.