Do any of you have experience with using Core Impact to do vulnerability scans? We have a .NET 1.1 site that is sitting on IIS 6.0 and Windows 2003 using URLScan as an ISAPI filter to harden the system.
Core Impact is trying to test GET parameters on some of the outer pages of the website by passing in character sequences to these parameters that would typically be used for SQL Injection attacks ( ' , -- , etc.). It seems like the more character sequences
that we actually BLOCK with URLScan, the more the Core Impact software comes back with findings. For example, if we block -- as a valid parameter value in the querystring through the URLScan config, instead of one finding we get 3.
We are certain that these findings are all false positives as they are GET parameters (through the URL) that don't even go to SQL Server in a query in the first place! Also, URLScan returns a 404 for any GET request that has offending characters in the URL
or the querystring of the URL.
One example of a parameter in the URL being tested is ReturnURL. This is used by .NET for Forms Authentication. The value isn't going anywhere near SQL, but the Core Impact software is coming back with SQL Injection findings (it tests a number of character
sequences as the ReturnURL value... ' , -- , etc. It even tests putting in an uppercase A and claims that is a finding which makes no sense to me.).
We don't have any involvement with the scanning process or the tool itself, but the person in charge doing the scans is holding strong to the results of the scan, when I think that the tool may be meant to point out POSSIBLE findings, not DEFINITIVE ones.
We are trying to get permission to get in contact with the Core Impact vendor, but in the meantime our system is down. I just wanted to see if any of you maybe had some experience with this or some guidance (from the URLScan angle) in getting a clean scan.
Do any of you have experience with using Core Impact to do vulnerability scans?
Sorry for inexperience of Core Impact.
Fiend
just wanted to see if any of you maybe had some experience with this or some guidance (from the URLScan angle) in getting a clean scan.
In accordance to your description. The UrlScan may address your requirement. UrlScam is a security tool can block and restrict specific HTTP request.
Administrators may configure UrlScan to reject HTTP requests based on the following criteria:
The HTTP request method or verb
The file name extension of the requested resource
Suspicious URL encoding
Presence of non-ASCII characters in the URL
Presence of specified character sequences in the URL
Presence of specified headers in the request
I suggest you do some research about UrlScan, it's really a compelling security tool to prevent the potentially harmful request from reaching your web server:
Fiend
1 Post
IIS 6.0, URLScan 3.1 and Core Impact SQL Injection vulnerability scans
Apr 06, 2012 03:49 PM|LINK
Hello,
Do any of you have experience with using Core Impact to do vulnerability scans? We have a .NET 1.1 site that is sitting on IIS 6.0 and Windows 2003 using URLScan as an ISAPI filter to harden the system.
Core Impact is trying to test GET parameters on some of the outer pages of the website by passing in character sequences to these parameters that would typically be used for SQL Injection attacks ( ' , -- , etc.). It seems like the more character sequences that we actually BLOCK with URLScan, the more the Core Impact software comes back with findings. For example, if we block -- as a valid parameter value in the querystring through the URLScan config, instead of one finding we get 3.
We are certain that these findings are all false positives as they are GET parameters (through the URL) that don't even go to SQL Server in a query in the first place! Also, URLScan returns a 404 for any GET request that has offending characters in the URL or the querystring of the URL.
One example of a parameter in the URL being tested is ReturnURL. This is used by .NET for Forms Authentication. The value isn't going anywhere near SQL, but the Core Impact software is coming back with SQL Injection findings (it tests a number of character sequences as the ReturnURL value... ' , -- , etc. It even tests putting in an uppercase A and claims that is a finding which makes no sense to me.).
We don't have any involvement with the scanning process or the tool itself, but the person in charge doing the scans is holding strong to the results of the scan, when I think that the tool may be meant to point out POSSIBLE findings, not DEFINITIVE ones.
We are trying to get permission to get in contact with the Core Impact vendor, but in the meantime our system is down. I just wanted to see if any of you maybe had some experience with this or some guidance (from the URLScan angle) in getting a clean scan.
Thanks!
Mamba Dai - ...
651 Posts
Microsoft
Re: IIS 6.0, URLScan 3.1 and Core Impact SQL Injection vulnerability scans
Apr 09, 2012 07:02 AM|LINK
Hi,
Sorry for inexperience of Core Impact.
In accordance to your description. The UrlScan may address your requirement. UrlScam is a security tool can block and restrict specific HTTP request.
Administrators may configure UrlScan to reject HTTP requests based on the following criteria:
I suggest you do some research about UrlScan, it's really a compelling security tool to prevent the potentially harmful request from reaching your web server:
http://learn.iis.net/page.aspx/726/urlscan-overview/
Feedback to us
Develop and promote your apps in Windows Store