Click here to receive your FREE subscription to Campus Technology
News
UrlScan 3.0 Aims To Block SQL Injection Attacks
8/25/2008
|
|
Microsoft has released an improved security filter for its Internet Information Services (IIS) Web server that is designed to help thwart SQL injection attacks. The free application, called UrlScan 3.0 (Release-to-Web version), is an add-on tool to IIS that provides real-time verification of HTTP server requests, potentially blocking malicious code.
SQL injection attacks have become worldwide problem in the last eight months or so. They affect Web sites built using Microsoft's widespread ASP or ASP.NET code, or code enabling dynamic Web sites.
In June, Microsoft issued Security Advisory 954462, explaining that the SQL injection attack problem did not lie with SQL Server per se. Rather, poor security practices in Web applications are to blame, company officials explained.
A SQL injection attack is a direct attack on SQL Server by means of malicious code in a query string, which is passed to SQL Server through an Internet application. If the right safeguards are not in place, the code could be executed by Microsoft SQL Server, causing havoc on the Web site's back end.
UrlScan has been available for about five years, but Microsoft added some new features in Version 3.0. Perhaps the most important improvement is that UrlScan 3.0 provides support for query string scanning.
For technical reasons, previous versions of UrlScan did not examine the query string in the server request. Instead, UrlScan Version 2.5 blocked server requests based on aspects such as URL string length, according to Wade Hilmo, Microsoft's senior development lead on the IIS product team, the team that wrote UrlScan.
"In [UrlScan] 3.0, we added the ability to do filtering based on the query string, in addition to the URL," Hilmo said. "We also added the ability to create more granular rules that can be targeted to specific types of requests. For example, you can write a rule that only applies to ASP pages or PHP pages, which is something you would never be able to do in UrlScan 2.5."
Another improvement for developers is the ability to specify a safe list of URLs and query strings that can bypass UrlScan checks. In addition, Version 3.0 uses W3C-formatted logs for ease of analysis.
Version 3.0 of UrlScan is compatible with the configuration files administrators used with Version 2.5, so those settings are retained on an upgrade to a production server. Microsoft also added support for 64-bit IIS processes with this version.
Recommended Reading
- Tufts Grants Rights for Mileage-Increasing Transportation Technology to Electric Truck
Tufts University has optioned rights to a technology that can recharge the batteries of any hybrid electric and electric-powered vehicle while it is driven. The Tufts-developed technology could increase by 20 percent to 70 percent the miles per gallon or total driving range performance of vehicles like the Honda Civic, Ford Escape, and Toyota Prius hybrids and the Tesla Motors and Phoenix Motorcars electric vehicles.
- U Florida and Cyntellect Collaborate to Unlock Mysteries of Cancer Stem Cells
The University of Florida has entered into a research agreement with life sciences company Cyntellect. The university's Interdisciplinary Center for Biotechnology Research will work with the company to focus on a variety of research areas including the purification and analysis of cancer stem cells (CSCs), rare cells believed to be directly involved in propagating cancers.
- George Mason U Receives Grant To Deploy Intergraph Apps for Intelligence Curriculum
George Mason University (GMU) in Fairfax, VA has been awarded a grant from Intergraph to enable students enrolled in GMU's Geospatial Intelligence Graduate Certificate program to use the company's geospatial production and exploitation software as part of their core curriculum.
- Institute for Cyber Security at U Texas, San Antonio Opens Incubator
The University of Texas at San Antonio (UTSA) Institute for Cyber Security (ICS) has launched a new Internet security incubator. The incubator was developed to commercialize promising technologies that address major cyber security and privacy issues. The first companies to enter the incubator are Denim Labs and SafeMashups.
- ISO/IEC Publishes Office Open XML Standard
ISO/IEC has published the Office Open XML (OOXML) file format standard, formally known as ISO/IEC 29500:2008. It describes file formats originally designed by Microsoft for its Office 2007 productivity suite, which are used in presentation, spreadsheet and word processing applications.
- Dynamics NAV 2009 ERP Coming Next Month
Microsoft exec Kirill Tatarinov Wednesday described some new features to expect in the forthcoming Microsoft Dynamics NAV 2009 enterprise resource planning solution. He gave the keynote address at Microsoft's Convergence 2008 event in Copenhagen, Denmark.
