Previous Next

• 08-25-2008, 2:30 PM

  ytkaczyk Joined on 05-19-2007, 9:34 PM Posts 5

  urlScan 3.0 rtw [AlwaysAllowedUrls] not working? Reply Contact I would like to allow a search page to accept all text in the query string. To do this I added the result page to the [AlwaysAllowedUrls]. One thing that is ambiguous from the documentation is if the [AlwaysAllowedUrls] settings also bypasses the custom rules and if the pages listed in [AlwaysAllowedUrls] can have any query string values. It does not seem to be the case but I thought I would check. Could anybody shed any light on this? Thank you. Yves

  Tags: IIS 6.0iis 6UrlScanURlScan SQL Injection

• 08-28-2008, 7:26 AM

  In reply to

  Zhao Ji Ma - MSFT Joined on 01-05-2007, 5:36 AM Posts 765

  Re: urlScan 3.0 rtw [AlwaysAllowedUrls] not working? Reply Contact Hi Yves, AlwaysAllowedUrls is used only to bypass all URL based checks. UrlScan will performance other checks, to bypass query string checks you can use AlwaysAllowedQueryStrings. You can see the example here. Zhao Ji Ma Sincerely, Microsoft Online Community Support “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 08-28-2008, 11:46 AM

  In reply to

  ytkaczyk Joined on 05-19-2007, 9:34 PM Posts 5

  Re: urlScan 3.0 rtw [AlwaysAllowedUrls] not working? Wildcard/regex in [AlwaysAllowedQueryStrings] Reply Contact  Hi Zhao,  Thank you for your reply. I now understand how [AlwaysAllowedUrls] works and where the query string check is still performed on the allowed Urls. To clarify, here is what I would like to achieve. For instance, I would like the following 'url+query string' to be valid: http://www.domain.com/search.aspx?keyword=declare(exec(...)) with proper escaping of course. I initially added the following to the urlscan.ini [AlwaysAllowedUrls] /search.aspx but as you explained this should not and did not work. Looking at the documentation and from my experimentation, there is no way to introduce any wildcard in the [AlwaysAllowedQueryStrings] section which is what I would need here. Ideally, I would like to be able to define something like (if regex if possible): [AlwaysAllowedQueryStrings] keyword=.* Is this possible? This would be very useful for implementing the Sql Injection custom rules. Thank you,  Yves

  Tags: iis6IIS 6.0IIS 5.1iis 6Sql injection filterIIS 7UrlScanURlScan SQL Injection

• 08-28-2008, 9:20 PM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758

  Re: urlScan 3.0 rtw [AlwaysAllowedUrls] not working? Wildcard/regex in [AlwaysAllowedQueryStrings] Reply Contact There is no Regex in urlscan 3 I don't think that * will work and if it doesn't it defeat the objective of the rules for SQL injections. Allowing all query strings for /search.aspx (I can't remember but I don't think you can mix the two explicitly together anyway) will be a vulnerability. A hackers will just use an attack on that page. I am confused by what you are trying to do. Allowing declare(exec(...)) , etc will just allow peopel in. Why no just remove certain words for your SQL injection rules.   Most overused word in IT is 'should' as in 'That should work!?!'