« Previous Next »

• 08-29-2008, 11:55 AM

  sauminpatel Joined on 07-23-2003, 10:03 AM New York Posts 2

  urlscan and querystring Reply Contact hi, our site is getting sql injection attacks right now and we have put up urlscan 3.0 on IIS 6. it is working fine. however, we have a search textbox where people can search for terms on our site...here if i enter words like "insertis" or "kill", etc (which are valid keywords on our site), urlscan catches it and rejects the request. I wanted to find out how can i avoid this? there are many keywords (and they are changing too!) on our site, so i cant put it under allowedquerystrings. Please let me know ASAP. Thanks!

• 08-31-2008, 11:40 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,463	Re: urlscan and querystring Reply Contact Make sure your key words list in your sql injection attack does not have the key words you mentioned.  I would verify what is listed in your rule. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 09-03-2008, 4:35 PM

  In reply to

  sauminpatel Joined on 07-23-2003, 10:03 AM New York Posts 2	Re: urlscan and querystring Reply Contact Hi Steve, Thanks for your response. I have the rules from your blog...but the problem is that even a keyword like "drop table" is a valid keyword on our site. How can i get around this problem? also, like i mentioned earlier "kill" is also a valid keyword. Please advise. Thanks!

• 09-05-2008, 3:16 PM

  In reply to

  naziml Joined on 03-10-2008, 6:25 PM Posts 30	Re: urlscan and querystring Reply Contact Keep trimming the rules list till you remove the false positives. Remember that UrlScan is only a stopgap for you to protect your resources while you fix your application to be hardened against SQL injection. The real fix for the issue is to fix your web application logic. HTH.

• 09-05-2008, 5:40 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 3,463

  Re: urlscan and querystring Reply Contact I agree with the previous post.  As they mention trimming rules, start with the common ones like CAST(, DECLARE, EXEC to see if you stop injections.  If you just monitor the querystring item, that can help cutdown on false positives.  I tried monitoring the RAW parameter and had a lot of legitimate traffic blocked.  The only way as the other poster said is to validate your input parameters before submitting to your data store. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget