Browse By Topic

• RSS News Feed
• News Archive
• Opinion
• Features
• Wireless Technology
• Hardware
• Security/Privacy
• Integration/Networking
• Professional Development
• Special Needs Students
• Data Management
• Display/Presentation
• eLearning/Web
• Accountability/Assessment
• Policy/Research
• Funding
• Telecom
• Business Intelligence
• Green

Magazine

• Current Issue
• Archives
• Article Search
• Editorial Calendar
• Editorial Board

Newsletters

• T.H.E. News Update
• Collaboration 2.0
• THE SmartClassroom
• School Security
• Classroom Tools & Tips

Events

• FETC
• Innovative Learning Conf.
• Congress on Content

Subscription Services

• Magazine
• eNewsletters

Resources

• Learning Centers
• White Papers
• Webinars
• RoadMap to the Web
• Education Plaza
• Sylvia Charp Award
• Conference Calendar
• FETC 2008 Vendor Focus
• Podcasts
• School Security
• 21st Century Skills
• Professional Development in Technology
• Dropout Prevention
• Math Intervention

Marketing

• About Us
• Media Kit
• Press Releases
• PR Guidelines
• Contacts

August 2008 — News

Print this article | Email this article

Click here to receive your FREE subscription to T.H.E. Journal

UrlScan 3.0 Aims To Block SQL Injection Attacks

by Kurt Mackie

Microsoft has released an improved security filter for its Internet Information Services (IIS) Web server that is designed to help thwart SQL injection attacks. The free application, called UrlScan 3.0 (Release-to-Web version), is an add-on tool to IIS that provides real-time verification of HTTP server requests, potentially blocking malicious code.

SQL injection attacks have become worldwide problem in the last eight months or so. They affect Web sites built using Microsoft's widespread ASP or ASP.NET code, or code enabling dynamic Web sites.

In June, Microsoft issued Security Advisory 954462, explaining that the SQL injection attack problem did not lie with SQL Server per se. Rather, poor security practices in Web applications are to blame, company officials explained.

A SQL injection attack is a direct attack on SQL Server by means of malicious code in a query string, which is passed to SQL Server through an Internet application. If the right safeguards are not in place, the code could be executed by Microsoft SQL Server, causing havoc on the Web site's back end.

UrlScan has been available for about five years, but Microsoft added some new features in Version 3.0. Perhaps the most important improvement is that UrlScan 3.0 provides support for query string scanning.

For technical reasons, previous versions of UrlScan did not examine the query string in the server request. Instead, UrlScan Version 2.5 blocked server requests based on aspects such as URL string length, according to Wade Hilmo, Microsoft's senior development lead on the IIS product team, the team that wrote UrlScan.

"In [UrlScan] 3.0, we added the ability to do filtering based on the query string, in addition to the URL," Hilmo said. "We also added the ability to create more granular rules that can be targeted to specific types of requests. For example, you can write a rule that only applies to ASP pages or PHP pages, which is something you would never be able to do in UrlScan 2.5."

Another improvement for developers is the ability to specify a safe list of URLs and query strings that can bypass UrlScan checks. In addition, Version 3.0 uses W3C-formatted logs for ease of analysis.

• Next »
• 1. 1
  2. 2