Previous Next

• 09-02-2008, 9:46 AM

  jgraham Joined on 09-02-2008, 9:41 AM Posts 2

  URLScan 3.0 RTW: [AlwaysAllowedQueryStrings] Reply Contact Doing some testing, currently, and running into some issues with this. We've got a couple cases where things like 'cast' or 'open' are appropriate for our webpages. I've setup an AlwaysAllowedQueryStrings section:   [AlwaysAllowedQueryStrings] branch=Openshaw branch=Newcastle+upon+Tyne   Now, this is great... and it works fine, if I look up /town.asp?branch=Openshaw However,  some of our pages will send branch=Openshaw&x=22&y=9 and URLScan appears to be treating "&x=22&y=9" as part of branch= Is there any way around this? The product could really save us while we hound vendors to update their code to account for SQL injection/etc. But with these cases, it would do about as much harm as good, at this stage.  Thanks in advance.

  Tags: iisIIS 6.0iis 6sql injectionSql injection filterUrlScanURlScan SQL Injection

• 09-05-2008, 6:38 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 98	Re: URLScan 3.0 RTW: [AlwaysAllowedQueryStrings] Reply Contact The AlwaysAllowedQueryStrings feature will only work with fully formed query strings. If we were to allow a portion of the string to bypass the rules, then it would be possible for an attacker to evade the rules by including a safe string. Thanks, -Wade

• 09-08-2008, 3:14 AM

  In reply to

  jgraham Joined on 09-02-2008, 9:41 AM Posts 2

  Re: URLScan 3.0 RTW: [AlwaysAllowedQueryStrings] Reply Contact That's nice in theory, but in practice it's extremely limiting. We have a number of files which we've secured, and have no need for URLScan to protect. As URLScan is not intended to be the final solution, it would make sense to have a way for it to add extra cover for files which we have not yet hardened, while allowing us to bypass it's protection on files we have already finished hardening.