SQL Injection Security Experiences

Last evening I tried out two of the tools that Joe Stagner wrote about in his blog post Tools to block and eradicate SQL injection. Since I manage a classic ASP web application that was completely lacking in security and potentially vulnerable to these attacks, I thought I'd share my experiences.

The Source Code Analyzer for SQL Injection tool looks promising but it is a command line tool and you have to feed it the path to each of your ASP web pages. I was only able to test a few pages. You will need to find some way to automate the process of feeding it ASP file paths and gathering the output. I suppose this could be done by piping multiple commands together or through custom scripting.

The HP Scrawlr does not appear to crawl a site very deeply and may not use the particular SQL Injection attack that is causing so much grief. It did not find any vulnerabilities in my classic ASP web application. It also did not find any potential problems with the e-commerce software I customize.

Coincidentally, I had an user complain that he could not log in to the classic ASP web application I secured. His email address included the string "exec" and I was not accepting that as input. I had to remove that SQL keyword from the filter. That just goes to show that filters are not the way to handle this problem. I also used a lot of stored procedures with parameters.

Unfortunately, my classic ASP site uses many iframes and include files which makes it difficult to be confident about finding every vulnerable script. I just loaded the site in Visual Studio 2005 and did searches for SQL strings to find vulnerabilities.

I was planning on creating my own web crawler that would attack my development sites with the actual exploit which may not be caught by some filters.  I may still do that. I'd like a more thorough web crawler that generates a detailed report.