Microsoft tools address SQL injection attacks

On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks.

In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits. At the time Microsoft insisted it was not the result of a vulnerability, but lack of best practices on the sites themselves.

The tools released Tuesday are designed to help Web developers mitigate against such attacks.

"These free tools offer detection and defense, as well as identify possible code which may be exploited by an attacker," said Bill Sisk, security response communications manager for Microsoft.

The three tools include HP Scrawlr , UrlScan version 3.0 Beta , and a SQL Source Code Analysis Tool. Microsoft further recommends following the best practices found within advisory 954462.

[jimkii]

If developers would use bind variables (prepared statements in Java) they would not have to worry about SQL Injection attacks. MS and other vendors strongly recommend using bind variables in code. it leads to more secure and higher performing code.

[jnarvey]

Oops! Microsoft's list wasn't quite complete. Another tool that will protect against SQL injection (and other threats like XSS hacks) is Devfense (more info at http://www.boonbox.net/devfense.htm), a boxed service tool that integrates seamlessly with existing IT environments. Cheers.

[has_zah]

Hi,
I read the article, It is really helpful.
Few days back my website PDA Accessories got hacked by a hacker from canada. After fixing it my developer implement the instructions written here. And now my site is more secure.

Thanks for the tools....
Hassan Z Ch.