June 2008 - Posts
SQL Injection has been around for many years :) and you probably get over 3 million results when you googled the term. so why is it so HOT now? Well, not so long ago some folks (don't ask me who!!, go read) were claiming that it was an IIS exploit, etc. Hence, all IIS web servers are subjected to this exploit, but the fact is that it has nothing to do with IIS, it is Web application related, so if you have a web/database application that running on Apache or even IBM Websphere, etc, you are subjected to the attack as well when user inputs are not properly validated. In short, the attack uses these input as the command window/line to issue specify command to the database that "not suppose" to happen via the application interface. For example, user can easily manipulate the database scheme and data, or user can even gain further access via the database system to the actual operating system level access.
Anyway, Microsoft just released a security advisory on how to detect via a free scanner from HP, how to protect at IIS level via URLSCAN 3.0 :) take note that this is still beta and how to identify it at coding level via Microsoft Source Code Analyzer for SQL Injection, take note this analyzer only works for ASP.
While the above is useful and helpful, you probably want to educate your developers on secure coding by implementing proper input validation before the input is process by the web or database system. The advisory contains a lot more information about the attack technique, best practices and more. So make sure you forward the details to your developers!!!
Well, for last month we got zero new IIS KB articles, yet few are related to IIS in certain way.
941850 When you try to access files on a WebDAV site that uses only Digest authentication, the process may fail on a Windows Vista-based computer
942039 FIX: Visual Studio 2005 incorrectly creates a subfolder and moves a Web project to the newly created folder
The Microsoft Patterns & Practices team just published a beta copy of Improving Web Service Security for WCF or code name Indigo last week. This is another great playbook from the team that gives us many great guides and practices in using Microsoft technologies. If you are into Indigo, this is a must read :)
Here's the chapter outlines:
Chapter 01 - Security Fundamentals for Web Services
Chapter 02 - Threats and Countermeasures for Web Services
Chapter 03 - Security Design Guidelines for Web Services
Chapter 04 - WCF Security Fundamentals
Chapter 05 - Authentication, Authorization and Identities in WCF
Chapter 06 - Impersonation and Delegation in WCF
Chapter 07 - Message and Transport Security in WCF
Chapter 08 - WCF Bindings Fundamentals
Chapter 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Chapter 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Chapter 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)
Don't forget to check out more publications at the project directory (tag = patterns & practices) of the site for more practices and guildlines written by Microsoft and external experts from time to time.