Lessons learned from the massive SQL injection attacks against legacy Microsoft ASP apps

Chenxi Wang

I am sure many of you are aware of the recent massive-scale SQL injection attacks targeting Microsoft ASP applications running on IIS. The latest report has the number of attacked sites at 500,000. The press makes it sound like there is a new vulnerability in IIS or ASP. This cannot be further from the truth. The reality is the attacks are targeting Web applications where user input validation is not done (this is one of the fundamental security programming techniques). When a Web application does not validate its form input, it is opening itself up to code injection attacks including SQL injection. Today, the security industry is doing a decent job of communicating the importance of input validation. But you'll still find many legacy Web applications that have these flaws. And this is exactly what happened here: the attackers (well, they are organized) are using Google to find old ASP pages that take user input, and are systematically going after these pages to perform SQL injection attacks.

Read more