1 Microsoft Source Code Analyzer for SQL Injection
官方下载:http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en 这款被称作 MSCASI 的工具可以检测 ASP 代码并发现其中的 SQL INJECTION 漏洞(ASP 代码以 SQL INJECTION 漏洞著称),你需要向 MSCASI 提供原始代码,MSCASI 会帮你找到存在风险的代码位置。
2 URLScan 3.0
官方下载:下载地址: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1697 该工具会让 IIS 限制某些类型的 HTTP 请求,通过对特定 HTTP 请求进行限制,可以防止某些有害的请求在服务器端执行。UrlScan 通过一系列关键词发现恶意请求,并阻止恶意请求的执行
以下是官方网站简介:
Overview
UrlScan version 3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) 6.0 will process. UrlScan screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed.
Most malicious attacks share a common characteristic in that the attack involves the use of a request that is unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests.
By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the server. UrlScan verision 3.0 security tool will install on IIS 5.1 and later, including IIS 7.
Features
The UrlScan version 3.1 security tool gives administrators even greater control over UrlScan configuration, providing functionality that helps administrators further secure and lock down the server.
New features include:
- New installer that allows URLScan 3.1 to be installed on IIS 5.1 or later, including IIS 7.
- Deny rules that can be independently applied to URL, query string, all headers, a particular header or a combination of these.
- A global DenyQueryString section that lets you add deny rules for query strings with the option of checking un-escaped version of the query string as well.
- Support for escape sequences in the deny rules so it’s possible to deny CRLF and other non-printable characters in configuration.
- Multiple urlscan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).
- Configuration (urlscan.ini) change notifications that are propagated to worker processes without having to recycle them. Note that log settings still have to be recycled.
Benefits
The UrlScan version 3.1 security tool helps protect your server from attacks by filtering requests based on rules that you set. The rules enforce processing of only valid requests by the Web server. Even though UrlScan helps provide additional security for your IIS 5.1 or later web server, you should always evaluate and apply the latest security updates from Microsoft. As new security vulnerabilities are discovered, Microsoft publishes updates such as service packs, patches, or hotfixes. To help mitigate any risks such vulnerabilities might present, you need to apply these security updates as they become available.
Requirements
The following prerequisites must be fulfilled in order to install the new URLScan:
- You must be using IIS 5.1 or later.
- You must install UrlScan as an administrator. If User Access Control (UAC) is enabled, you must use the “Run as Administrator” option when installing.
- Previous versions of URLScan must be uninstalled before installing this version of URLScan.
3 Scrawlr
官方下载:https://download.spidynamics.com/Products/scrawlr/ 这个微软和 HP合作开发的工具,会在网站中爬行,对所有网页的查询字符串进行分析并发现其中的 SQL INJECTION 风险。Scrawlr 使用了部分 HP WebInspect 相同的技术,但只检测 SQL INJECTION 风险。Scrawlr 从一个起始 URL 入口,爬遍整个网站,并对站点中所有网页进行分析以找到可能存在的漏洞。
推荐绿色版:http://www.xdowns.com/soft/8/19/2008/Soft_44111.html