SQL Injection rule explanation how URLScan 3.0 scans requests

One of the things I was curious what URLScan actually scanned and how. What is just servervariables or what?!  I asked Wade H from the IIS Team for further explaination.   It is good to be aware when you are implementing URLScan 3.0 and sql injection rules, what to actually check for.   These 4 options are outlined in the sample rules offered in the URLScan 3.0 docs.  I posted a sample rule below showing where they show-up.  Thanks a bunch for Wade for taking time to explain these options in more detail.


ScanURL – UrlScan gets the raw URL as it was put on the wire.  It then strips the query string and normalizes it using the SF_REQ_NORMALIZE_URL function (or not, if NormalizeUrlBeforeScan=0 is set.)  The resulting string is searched for the deny strings.


ScanAllRaw – This does scan exactly the server variable ALL_RAW.  I didn’t use ALL_HTTP because there ALL_HTTP includes data that has been processed and changed by IIS.  I wanted to be able to scan the exact bytes that the client sent.


ScanQueryString – UrlScan will scan everything after the first ‘?’ character in the raw URL that was sent by the client.


ScanHeaders – Scans the values of specified client headers (ie. User-Agent:, Cookie:, Host:, etc.)  Note that none of SCRIPT_NAME, PATH_INFO and ALL_HTTP are client headers.  They are all server variables.  UrlScan does not scan server variables because server variables do not come from the client (although many of them are derived from client request data.)


Sample rule


[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=


[SQL Injection Strings]

%3b        ; a semicolon
/*
@          ; also catches @@
char       ; also catches nchar and varchar
alter
begin
cast
create
cursor
declare
delete
drop
end
exec       ; also catches execute
fetch
insert
kill
open
select
sys        ; also catches sysobjects and syscolumns
table
update


Hope this helps,


Steve Schofield
Microsoft MVP – IIS

URLScan 3.0 – help with sql injection attacks.

For those supporting a Classic ASP and ASP.NET application, you probably have noticed an increase in sql injection attempts.  Microsoft has released an updated URLScan 3.0.    Here is the link to download URlScan version 3 beta for 32 bit or 64 bit.   You can read about on the blogs by Wade Hilmo and Nazim security blog.



I’ve been kicking the tires on URLScan 3.0.  One thing to remember when applying custom rules is to add them to the RuleList optionSearch for RuleList in urlscan.ini, and put the name of your rule, for example RuleList=SQL Injection Raw. Double quotes aren’t needed around rules with spaces in the name.   When you apply a custom rule per the docs, make sure it shows up as started in the urlscan logs in c:windowssystem32inetsrvurlscanlogs.  


Here is what shows the rule has been loaded.  Notice it matches up the rule defined in our example below.


[06-23-2008 – 00:35:58] The following extensions will not be allowed: .exe, .bat, .cmd, .com, .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol, .dat, .config
[06-23-2008 – 00:35:58] The following URL sequences will be denied: .., ./, , :, %%, &
[06-23-2008 – 00:35:58] The following Query String sequences will be denied:
[06-23-2008 – 00:35:58] The following rules are active: SQL Injection Raw


Here is an example sql injection rule


[SQL Injection Raw]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Raw Strings
ScanUrl=0
ScanAllRaw=1
ScanQueryString=0
ScanHeaders=


[SQL Injection Raw Strings]

@          ; also catches @@
alter
cast
create
declare
delete
drop
exec       ; also catches execute
fetch
insert
kill
select


One last thing to think about is which option you’ll chose to be scanned.  The example rule choses ScanAllRaw. 


ScanUrl=0
ScanAllRaw=1
ScanQueryString=0
ScanHeaders=


Testing can help determine which characters to add to your custom rule.    To see if your rule is active and blocking requests.  Look in the URlScan logs.  Also, if someting is rejected, you can look in your IISLogs, Rejected by URLScan will be there.  Here are a couple examples.


URLScan example log entry
[06-24-2008 – 00:35:54] Client at 1.1.1.1: Rule ‘SQL Injection Raw’ detected string ‘-‘ in the header strings. Request will be rejected.  Site Instance=’123456′, Raw URL=’/examplePage.aspx’


Example IIS Log entry 
ex080624.log:2008-06-24 00:00:03 192.168.0.98 GET /Rejected-By-UrlScan ~/examplePage.aspx 80 – 192.168.0.99 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+Creative+ZENcast+v2.00.13) http://example.com  404 0 2 1864 571 46

Log Parser query to detect and list Rejected URL’s – change the from
LogParser.exe” -i:iisw3c “SELECT count(*) as hitCount, cs-uri-stem,cs-uri-query FROM <example.com> WHERE cs-uri-stem like ‘%Reject%’ GROUP BY cs-uri-stem,cs-uri-query ORDER BY hitCount desc” -o:csv

Hope this helps,


Steve Schofield
Microsoft MVP – IIS

SQL Injection information for IIS admins and developers

The sql injection that has came up is affecting several ASP and ASP.NET applications.  Although the only way to prevent an attack is validate the code, hopefully these posts will provide some direction.  I included some links that discuss this more. 



Here’s a list of additional reading:


Building Secure ASP.NET Applications – Authentication, Authorization, and Secure Communication.
http://www.microsoft.com/downloads/details.aspx?FamilyID=055ff772-97fe-41b8-a58c-bf9c6593f25e&DisplayLang=en


Improving Web Application Security – Threats and Countermeasures
http://www.microsoft.com/downloads/details.aspx?FamilyId=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en


This link talks about the issue in ASP/NET perspective:SQL Injection Attacks:
http://msdn2.microsoft.com/en-us/library/aa302392.aspx#secnetch12_sqlinjectionattacks


Sample code provided by Microsoft to validate SQL statements.
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Log parser examples
http://weblogs.asp.net/steveschofield/archive/2008/04/26/clarification-on-iis-reported-sql-injection-exploits.aspx


Youtube
http://youtube.com (search for sql injections)  This will show several videos posted on how people are doing this.


To do a quick find type from a command prompt

findstr “CAST(” ex080622.log > ss.txt   (change the log file date)

Note the ‘CAST’ is case senstative


Hope this helps,


Steve Schofield

Powershell 2.0

I”ve tried really hard to get excited about Powershell 1.0, it just hasn’t stuck.  Am I the only one?!  ?   However, (yes there is a however).  The great thing about software, there is a 2.0 release sooner or later.  I’ve made the committment to learn Powershell 2.0.  I’ve been writing console app’s for years, with VB 2008 express, I get a editor with full debugger support, granted it’s compiled code vs. Powershell’s PS scripts.  The syntax isn’t much different between console apps and PS, it’s the debugging.  So, give me a Powershell GUI debugger and I’ll forget visual studio express exists.   Anyone know of one with debugger support?


Here is my “hello world” example of calling a function inside a powershell script.  Thanks to the Scripting guys with having some good examples.  The Powershell CTP GUI is a step in the right direction.  I’m getting used to Powershell. 


function MyFunction 
{
    $b = ” Schofield”
    $args[0].ToLower() + $b.tolower()
}


$a = “Steve”
myFunction $a


btw:


http://www.thepowershellguy.com has some great examples on Powershell.  Some of it is over my head at this point, but it’s a great resource.  Check it out.


Couple of additional links.
http://www.powershell.com/plus/videos.html (both videos)
http://www.powershell.com/plus/

IIS7 – post #69 – Remember to disable SSL 2.0

I’m not certain why SSL 2.0 isn’t disabled on Windows Server 2008 by default, but here is the KB article to remember to do that on your system.


http://support.microsoft.com/kb/187498


How to test if you accept SSL 2.0 using IE is go to Internet options > Advanced > Under Security.  Toggle the various levels.  Uncheck everything and leave 2.0 checked, which I think in IE8 is turned off by default.  It took me a couple tries to understand the concept after disabling SSL 2.0 on my IIS 7 server.  This is one necessary item for PCI compliance among many others. ?