One of the things I was curious what URLScan actually scanned and how. What is just servervariables or what?!  I asked Wade H from the IIS Team for further explaination.   It is good to be aware when you are implementing URLScan 3.0 and sql injection rules, what to actually check for.   These 4 options are outlined in the sample rules offered in the URLScan 3.0 docs.  I posted a sample rule below showing where they show-up.  Thanks a bunch for Wade for taking time to explain these options in more detail.

ScanURL – UrlScan gets the raw URL as it was put on the wire.  It then strips the query string and normalizes it using the SF_REQ_NORMALIZE_URL function (or not, if NormalizeUrlBeforeScan=0 is set.)  The resulting string is searched for the deny strings.

ScanAllRaw – This does scan exactly the server variable ALL_RAW.  I didn’t use ALL_HTTP because there ALL_HTTP includes data that has been processed and changed by IIS.  I wanted to be able to scan the exact bytes that the client sent.

ScanQueryString – UrlScan will scan everything after the first ‘?’ character in the raw URL that was sent by the client.

ScanHeaders – Scans the values of specified client headers (ie. User-Agent:, Cookie:, Host:, etc.)  Note that none of SCRIPT_NAME, PATH_INFO and ALL_HTTP are client headers.  They are all server variables.  UrlScan does not scan server variables because server variables do not come from the client (although many of them are derived from client request data.)

Sample rule

[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=

[SQL Injection Strings]
—
%3b        ; a semicolon
/*
@          ; also catches @@
char       ; also catches nchar and varchar
alter
begin
cast
create
cursor
declare
delete
drop
end
exec       ; also catches execute
fetch
insert
kill
open
select
sys        ; also catches sysobjects and syscolumns
table
update

Hope this helps,

Steve Schofield
Microsoft MVP – IIS