IIS 5 & IIS 6
IIS 6.0, URLScan 3.1 and Core Impact SQL Injection vulnerability scan...
Last post Apr 09, 2012 08:02 AM by mamba dai - msft
Apr 06, 2012 04:49 PM|Fiend|LINK
Do any of you have experience with using Core Impact to do vulnerability scans? We have a .NET 1.1 site that is sitting on IIS 6.0 and Windows 2003 using URLScan as an ISAPI filter to harden the system.
Core Impact is trying to test GET parameters on some of the outer pages of the website by passing in character sequences to these parameters that would typically be used for SQL Injection attacks ( ' , -- , etc.). It seems like the more character sequences
that we actually BLOCK with URLScan, the more the Core Impact software comes back with findings. For example, if we block -- as a valid parameter value in the querystring through the URLScan config, instead of one finding we get 3.
We are certain that these findings are all false positives as they are GET parameters (through the URL) that don't even go to SQL Server in a query in the first place! Also, URLScan returns a 404 for any GET request that has offending characters in the URL
or the querystring of the URL.
One example of a parameter in the URL being tested is ReturnURL. This is used by .NET for Forms Authentication. The value isn't going anywhere near SQL, but the Core Impact software is coming back with SQL Injection findings (it tests a number of character
sequences as the ReturnURL value... ' , -- , etc. It even tests putting in an uppercase A and claims that is a finding which makes no sense to me.).
We don't have any involvement with the scanning process or the tool itself, but the person in charge doing the scans is holding strong to the results of the scan, when I think that the tool may be meant to point out POSSIBLE findings, not DEFINITIVE ones.
We are trying to get permission to get in contact with the Core Impact vendor, but in the meantime our system is down. I just wanted to see if any of you maybe had some experience with this or some guidance (from the URLScan angle) in getting a clean scan.
Apr 09, 2012 08:02 AM|Mamba Dai - MSFT|LINK
Do any of you have experience with using Core Impact to do vulnerability scans?
Sorry for inexperience of Core Impact.
just wanted to see if any of you maybe had some experience with this or some guidance (from the URLScan angle) in getting a clean scan.
In accordance to your description. The UrlScan may address your requirement. UrlScam is a security tool can block and restrict specific HTTP request.
Administrators may configure UrlScan to reject HTTP requests based on the following criteria:
I suggest you do some research about UrlScan, it's really a compelling security tool to prevent the potentially harmful request from reaching your web server: