Microsoft has released a security advisory (954462) warning users that automated SQL injection attacks against ASP and ASP.NET based sites are escalating. Unlike about 5 years ago, most web developers I talk to today understand what SQL injection is and how to defend against it.
The new automated attacks are mostly focused on Content Management System (CMS) functionality, in order to insert an IFRAME on your website pointing to a malicious site. 5 years ago we all talked about how SQL injection attacks would focus on stealing credit card numbers and personal information directly out of databases, or skipping password checks or adding administrative users. I demonstrated that last one myself during a security engagement. The attacks were jaw-dropping and scary, and we thought that everyone was on the way to getting it fixed.
If you find this XKCD comic funny, you’re halfway toward understanding exactly how dangerous SQL injection is:
So why are ASP and ASP.NET still such easy pickings? I believe it’s due to two main reasons:
1. ASP has THE WORST string validation functionality of any modern programming language used to create web applications today.
Have you ever seen a successful, tight form validation routine written in ASP or VB? It’s ugly, and easy to get wrong. This is because there’s no regex (regular expression) library for performing string-fu, a luxury that pretty much everyone else has.
5-6 years ago, smart developers realized this and quickly said “Hey, we need to filter this garbage before it ever gets to the app, by building ISAPI filters in C and C++”. Some shops wrote their own, many adopted tools like Microsoft’s URLScan or Eye’s SecureIIS. Problems were solved, as these ISAPI filters magically denied all sorts of nasty strings, and were totally worth the pain of implementation.
2. Microsoft left Windows 2003/IIS 6 users out in the cold
Right around the time when Windows 2003 shipped, two things were happening. First, people like myself were finding MAJOR functionality flaws in URLScan which Microsoft was basically refusing to fix, and telling users to wait for the next version. Second, instead of actually shipping that next version, Microsoft proclaimed that IIS 6 had “URLScan technology” built in, and nobody needed URLscan anymore. Too bad that whatever was actually included with IIS 6 was missing URLScan’s best functionality, including the malicious string denial functionality. Thanks for that one, Microsoft.
So for about 5 years, the memory of URLScan faded, and everyone migrated to Windows 2003 and IIS 6. Sure, IIS 6 is a lot more “secure by default”, but ASP shops weren’t being adequately protected from SQL injection attacks. It wasn’t until THIS MONTH that Microsoft released URLScan 3.0 Beta which finally supported IIS 6. URLScan 3.0 Beta also supports IIS 7, which now has basic request filtering, but not as advanced as URLScan. It is not too late to consider this tool.
3. Some ASP and ASP.NET shops are still running insecure code and using insecure coding practices
Microsoft and various security firms have been preaching advice about how to protect against SQL injection attacks for years now. It is a lack of risk awareness and training that is allowing it to continue. The argument that it is just too expensive for a business to fix these vulnerabilities doesn’t stand anymore, the attacks are too damaging.
What can be done?
The answer is simple. You need to self-assess your applications, or find someone to perform the assessment for you. Be careful, though, self-assessment has a huge risk, which is a golden rule of security: The designer of a system is the least likely to see its flaws. Fortunately, if you go this route there are plenty of free and intuitive tools to help you along the way.
HP has released a cool new tool called Scrawlr (free download) that will walk your ASP/ASP.NET/MS SQL based website and search for basic SQL Injection vulnerabilities. Unfortunately the tool does have some serious limitations (doesn’t handle authentication, won’t check forms or anything involving a POST, and cannot perform blind SQL injection). But it is a nicely packaged tool for finding the simplest vulnerabilities, the ones that the bad guys are hitting as well.
Fortunately, there are plenty of other free tools that perform Blind SQL injection (check google), as well as WebScarab and even the Firefox add-ons TamperData and Hackbar to assist you in self-assessing your own site.