Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

SQL injection warning for MS ASP users

Fortify : 07 July, 2008  (Technical Article)
Active Server Page users are being warned by Fortify of vulnerability which can result in SQL injection attacks
Fortify Software has warned companies using Microsoft's ASP (Active Server Page) technology - Microsoft's server-side script engine for dynamically-generated Web pages - to be watch out for SQL Injection attacks.

'Although Microsoft ASP is a powerful component in the Windows 2000 Server stable of offerings, it seems that hackers have latched on to the fact that many companies have created poorly-written Web code that interfaces with their Web sites'' back-end database,' said Rob Rachwald, Fortify’s director of product marketing.

'This means that, although the Microsoft Security Response Centre (MSRC) is aware of the problem, it's not something it can issue patch for. As a result, large numbers of ASP-enabled Web hosts are being hit by SQL injection attacks,' he added.

According to Rachwald, Microsoft has risen to the occasion by releasing a source code analyser, but the slightly bad news is that the analyser only works with ASP Classic code and, even then, is only capable of detecting SQL Injection issues, and nothing else.

'All is not lost, however, as Microsoft has release a short-term fix in the form of a utility that performs SQL filtering like a Web application firewall,' he said.

'This functions in a similar manner to our Real-Time Analysis technology, although users should be aware that it only blocks specific HTTP requests to prevent potentially harmful SQL requests from being executed on the server. Our RTA technology, on the other hand, blocks SQL Injections and much more,' he added.

Microsoft's experience with this situation, says Rachwald, highlight the need for static and dynamic analysis when it comes to application security.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo