http://forums.iis.net/1031.aspxA forum aimed at helping understand IIS security such as Authentication, IP restrictions, and SSLenCommunityServer 2007 SP1 (Build: 20510.895)http://forums.iis.net/thread/1878592.aspxFri, 05 Sep 2008 21:40:37 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1878592steve schofield0http://forums.iis.net/thread/1878592.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1878592<p>I agree with the previous post.&nbsp; As they mention trimming rules, start with the common ones like CAST(, DECLARE, EXEC to see if you stop injections.&nbsp; If you just monitor the querystring item, that can help cutdown on false positives.&nbsp; I tried monitoring the RAW parameter and had a lot of legitimate traffic blocked.&nbsp; The only way as the other poster said is to validate your input parameters before submitting to your data store.</p>http://forums.iis.net/thread/1878581.aspxFri, 05 Sep 2008 19:16:48 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1878581naziml0http://forums.iis.net/thread/1878581.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1878581<p>Keep trimming the rules list till you remove the false positives. Remember that UrlScan is only a stopgap for you to protect your resources while you fix your application to be hardened against SQL injection. The real fix for the issue is to fix your web application logic.</p> <p>HTH.</p>http://forums.iis.net/thread/1878354.aspxWed, 03 Sep 2008 20:35:55 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1878354sauminpatel0http://forums.iis.net/thread/1878354.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1878354Hi Steve, Thanks for your response. I have the rules from your blog...but the problem is that even a keyword like &quot;drop table&quot; is a valid keyword on our site. How can i get around this problem? also, like i mentioned earlier &quot;kill&quot; is also a valid keyword. Please advise. Thanks!http://forums.iis.net/thread/1878102.aspxMon, 01 Sep 2008 03:40:52 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1878102steve schofield0http://forums.iis.net/thread/1878102.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1878102<p>Make sure your key words list in your sql injection attack does not have the key words you mentioned.&nbsp; I would verify what is listed in your rule.</p>http://forums.iis.net/thread/1877986.aspxFri, 29 Aug 2008 15:55:17 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1877986sauminpatel0http://forums.iis.net/thread/1877986.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1877986<p>hi,</p> <p>our site is getting sql injection attacks right now and we have put up urlscan 3.0 on IIS 6. it is working fine. however, we have a search textbox where people can search for terms on our site...here if i enter words like &quot;insertis&quot; or &quot;kill&quot;, etc (which are valid keywords on our site), urlscan catches it and rejects the request. I wanted to find out how can i avoid this? there are many keywords (and they are changing too!) on our site, so i cant put it under allowedquerystrings. Please let me know ASAP.</p> <p>Thanks!&nbsp;</p> <p>&nbsp;</p>