• URLScan 3.0 – help with sql injection attacks.

    For those supporting a Classic ASP and ASP.NET application, you probably have noticed an increase in sql injection attempts.  Microsoft has released an updated URLScan 3.0.    Here is the link to download URlScan version 3 beta for 32 bit or 64 bit.   You can read about on the blogs by Wade Hilmo and Nazim security blog.



    I’ve been kicking the tires on URLScan 3.0.  One thing to remember when applying custom rules is to add them to the RuleList optionSearch for RuleList in urlscan.ini, and put the name of your rule, for example RuleList=SQL Injection Raw. Double quotes aren’t needed around rules with spaces in the name.   When you apply a custom rule per the docs, make sure it shows up as started in the urlscan logs in c:\windows\system32\inetsrv\urlscan\logs.  


    Here is what shows the rule has been loaded.  Notice it matches up the rule defined in our example below.


    [06-23-2008 – 00:35:58] The following extensions will not be allowed: .exe, .bat, .cmd, .com, .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol, .dat, .config
    [06-23-2008 – 00:35:58] The following URL sequences will be denied: .., ./, \, :, %%, &
    [06-23-2008 – 00:35:58] The following Query String sequences will be denied:
    [06-23-2008 – 00:35:58] The following rules are active: SQL Injection Raw


    Here is an example sql injection rule


    [SQL Injection Raw]
    AppliesTo=.asp,.aspx
    DenyDataSection=SQL Injection Raw Strings
    ScanUrl=0
    ScanAllRaw=1
    ScanQueryString=0
    ScanHeaders=


    [SQL Injection Raw Strings]

    @          ; also catches @@
    alter
    cast
    create
    declare
    delete
    drop
    exec       ; also catches execute
    fetch
    insert
    kill
    select


    One last thing to think about is which option you’ll chose to be scanned.  The example rule choses ScanAllRaw. 


    ScanUrl=0
    ScanAllRaw=1
    ScanQueryString=0
    ScanHeaders=


    Testing can help determine which characters to add to your custom rule.    To see if your rule is active and blocking requests.  Look in the URlScan logs.  Also, if someting is rejected, you can look in your IISLogs, Rejected by URLScan will be there.  Here are a couple examples.


    URLScan example log entry
    [06-24-2008 – 00:35:54] Client at 1.1.1.1: Rule ‘SQL Injection Raw’ detected string ‘–‘ in the header strings. Request will be rejected.  Site Instance=’123456′, Raw URL=’/examplePage.aspx’


    Example IIS Log entry 
    ex080624.log:2008-06-24 00:00:03 192.168.0.98 GET /Rejected-By-UrlScan ~/examplePage.aspx 80 – 192.168.0.99 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+Creative+ZENcast+v2.00.13) http://example.com  404 0 2 1864 571 46

    Log Parser query to detect and list Rejected URL’s – change the from
    LogParser.exe” -i:iisw3c “SELECT count(*) as hitCount, cs-uri-stem,cs-uri-query FROM <example.com> WHERE cs-uri-stem like ‘%Reject%’ GROUP BY cs-uri-stem,cs-uri-query ORDER BY hitCount desc” -o:csv

    Hope this helps,


    Steve Schofield
    Microsoft MVP – IIS

One Responseso far.

  1. http:// says:

    never used this stull.. but it looks good… i will try to implement this in my applications.
    thanks