|
New SQL Injection Scanners From Microsoft And HP
By Dan Morrill
Expert Author
Article Date: 2008-06-25
Microsoft and HP have both released separate tools to help companies scan their web sites for SQL injection flaws that will lead to a compromise of your web site.
Both are worth looking at, and throwing them at your web sites. Also start looking for any odd behavior in your web site logs, just in case someone else is running them against your web site.
Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names! Source: HP Download the tool here.
Scrawler is probably the better bet of the tools to use, and should probably be used first against the web site to see what it finds. As they say, if someone can show you the tables, there is an issue. You will want to work with your developers or 3rd party developers if something comes up. You are also going to need to educate them on the issues; it is not enough to show the tables, you have to help them repair it. The HP site has a number of very good white papers that can help educate the developers on the issue, and common fixes to take.
Microsoft has released an updated version of IIS URL Scan that has a copy of all the strings used in previous attacks to block them at the IIS level of service before they get to the database. If you already use URL Scan, then probably a good idea to update it on your servers, if you do not use URL Scan, then test it out first using the Scrawler tool to make sure there are no additional performance issues.
UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta. Source: Microsoft You will find the tool under "actions" just in case, it took a minute when you expect that a direct link would have been prominently displayed, not so, go to "actions" to download the tool.
Both tools should be helpful in the longer run of keeping at least some of the more egregious issues off your servers, and keeping your customers safe. Today is a very good day to scan your systems. One other tool (while costly) is the Web Inspect Tool from SpiDynamics (also owned by HP) that you might want to see about getting and using to scan your builds and web site on a frequent basis to see what happens.
Happy scanning today.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
