Lessons learned from the massive SQL injection attacks against legacy Microsoft ASP apps

Chenxi Wang

I am sure many of you are aware of the recent massive-scale SQL injection attacks targeting Microsoft ASP applications running on IIS. The latest report has the number of attacked sites at 500,000. The press makes it sound like there is a new vulnerability in IIS or ASP. This cannot be further from the truth. The reality is the attacks are targeting Web applications where user input validation is not done (this is one of the fundamental security programming techniques). When a Web application does not validate its form input, it is opening itself up to code injection attacks including SQL injection. Today, the security industry is doing a decent job of communicating the importance of input validation. But you'll still find many legacy Web applications that have these flaws. And this is exactly what happened here: the attackers (well, they are organized) are using Google to find old ASP pages that take user input, and are systematically going after these pages to perform SQL injection attacks.

If you have legacy Web applications, the best thing you can do is use HP's Scrawlr, a lightweight Web crawling and SQL injection detection tool to detect your vulnerabilities. You can download Scrawlr here:

https://download.spidynamics.com/products/scrawlr/.

We'll be back with another edition of how important application security is to business today. Stay tuned.