The sql injection that has came up is affecting several ASP and ASP.NET applications. Although the only way to prevent an attack is validate the code, hopefully these posts will provide some direction. I included some links that discuss this more.
- http://forums.iis.net/p/1149068/1868206.aspx (Post by Bill Staples)
- http://forums.iis.net/t/1148917.aspx?PageIndex=1 (almost a million views, definitely worth reading)
- http://forums.iis.net/p/1150026/1872364.aspx
- http://forums.iis.net/p/1150023/1872371.aspx
- http://forums.iis.net/p/987743/1278151.aspx
Here's a list of additional reading:
Building Secure ASP.NET Applications - Authentication, Authorization, and Secure Communication.
http://www.microsoft.com/downloads/details.aspx?FamilyID=055ff772-97fe-41b8-a58c-bf9c6593f25e&DisplayLang=en
Improving Web Application Security - Threats and Countermeasures
http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en
This link talks about the issue in ASP/NET perspective:SQL Injection Attacks:
http://msdn2.microsoft.com/en-us/library/aa302392.aspx#secnetch12_sqlinjectionattacks
Sample code provided by Microsoft to validate SQL statements.
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
Log parser examples
http://weblogs.asp.net/steveschofield/archive/2008/04/26/clarification-on-iis-reported-sql-injection-exploits.aspx
Youtube
http://youtube.com (search for sql injections) This will show several videos posted on how people are doing this.
To do a quick find type from a command prompt
findstr "CAST(" ex080622.log > ss.txt (change the log file date)
Note the 'CAST' is case senstative