"This [SQL injection attack trend] really started when companies began looking at Web 2.0 and decided that they had to have things like social networking and blogging on their sites," said Pescatore. "A lot of those features were added and didn't go through the normal checks [for secure code]. That kind of tinkering leads to a loss of discipline."
Tools like these, added Pescatore, "rattle the doorknobs" of a site, like a city cop on a beat once did as he passed through his neighborhood. "Better for us to rattle them first," said Pescatore.
Also Tuesday, Hewlett-Packard's Web security team posted "HP Scrawlr" -- short for "SQL Injector and Crawler" -- to its Web site. Like "fuzzers" that researchers use to spot potential security problems in, for instance, file formats, HP Scrawlr analyzes Web pages for vulnerability to SQL injection attack, then reports its findings.
Microsoft unveiled its free tools in an advisory posted by the Microsoft Security Response Center, which included download links for UrlScan and SQL Source Code Analysis Tool.