Web Server Attacks From the Washington Post, April 25, 2008:

Quote... Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Unquote...

Apparently there have been an estimated half-million attacks on different Web sites this week alone. There seems to have been a rush to judgement in trying to point the finger of blame at a recent Microsoft Security Advisory (951306). According to Bill Staples, Product Unit Manager for IIS, "Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."

These attacks are not related to said security advisory but are aimed at sites, on any platform, that are open to SQL Injection. What we are really seeing is a growth in SQL Injection over other types of attack. Although around for a long time now, this technique has been gaining in popularity among hackers over the last couple of years, and seems to be more popular now than cross-site scripting or buffer overflow exploits. I would argue that this would not be the case for ASP.NET sites if basic input validation and SQL parameters in combination with stored procedures were employed, as is the recommended practice.

At the very least, even if you are still using ASP and haven't time to convert to stored procedures, check your input data! All input data is evil and when designing your application you should take time to consider where else that input may be coming from, such as query parameters, cookies, etc. Watch this space...


Comments (4) -

ken United States
5/5/2008 12:38:47 AM #

Nobody seems to want to pay for good (much less great!) software. Business decision-makers have this notion that writing software is easy and takes little skill, and that software developers are out to screw them at every turn. So, they do one of the following:

1) pick the development company with the cheapest quote
2) if developing in-house, they pay the developers far less than the company average
3) if in-house developers are actually paid well, there's still the possibility that they're far over-tasked and/or under-staffed (both due to to complete thriftiness on their employer's part) so that projects are doomed from the onset

Exhibit A: http://www.711chan.org/ex/res/334.html

What you see there (in Exhibit A), is a list of companies that chose to go the cheap route. The old saying, you get what you pay for, still applies...

I'm not saying its right to exploit or deface websites, however, but if you will notice, this happens from time to time. This time it was a wave of SQL-I attacks, but it could just as easily have been insecure OS/applications, XSS, XSRF, etc., and everytime I see it happen, I get the mental image of a wild and raging forest fire, burning everything in its path, but what's left is plenty of room for regrowth and renewal.

agrace United States
5/5/2008 12:59:30 AM #

The following is the Blog Thread from Bill Staples (one of the managers on the IIS teams)  and is the official Microsoft thread for this issue:  http://forums.iis.net/p/1149068/1868206.aspx.  The most recent post is actually a few scripts for ASP and ASP.Net that help protect against SQL Injection attacks.  The thread will continue to have more information but I’ve included the latest information for your convenience:

Re: SQL Injection Attacks on IIS Web Servers Today we provided a few scripts for ASP and ASP.net developers to help protect against SQL Injection attacks.  Please see:

Nazim's post on steps to protect your classic ASP application here:


and Stefan's post on how to protect your ASP.NET application here:


Aaronontheweb United States
5/5/2008 5:07:20 AM #

500,000 injections this week? This is 2008, right? Damn - when will people learn to use the plethora of injection-safe technologies out there? Stored Procedures have been around for almost a decade for crying out loud!

agrace United States
5/5/2008 7:19:08 AM #

Well, it looks like they're hiring:



Pingbacks and trackbacks (2)+