Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

SQL injection warning for MS ASP users

Fortify : 07 July, 2008  (Technical Article)
Active Server Page users are being warned by Fortify of vulnerability which can result in SQL injection attacks
Fortify Software has warned companies using Microsoft's ASP (Active Server Page) technology - Microsoft's server-side script engine for dynamically-generated Web pages - to be watch out for SQL Injection attacks.

'Although Microsoft ASP is a powerful component in the Windows 2000 Server stable of offerings, it seems that hackers have latched on to the fact that many companies have created poorly-written Web code that interfaces with their Web sites'' back-end database,' said Rob Rachwald, Fortify’s director of product marketing.

'This means that, although the Microsoft Security Response Centre (MSRC) is aware of the problem, it's not something it can issue patch for. As a result, large numbers of ASP-enabled Web hosts are being hit by SQL injection attacks,' he added.

According to Rachwald, Microsoft has risen to the occasion by releasing a source code analyser, but the slightly bad news is that the analyser only works with ASP Classic code and, even then, is only capable of detecting SQL Injection issues, and nothing else.

'All is not lost, however, as Microsoft has release a short-term fix in the form of a utility that performs SQL filtering like a Web application firewall,' he said.

'This functions in a similar manner to our Real-Time Analysis technology, although users should be aware that it only blocks specific HTTP requests to prevent potentially harmful SQL requests from being executed on the server. Our RTA technology, on the other hand, blocks SQL Injections and much more,' he added.

Microsoft's experience with this situation, says Rachwald, highlight the need for static and dynamic analysis when it comes to application security.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo