URLScan 3.0 - help with sql injection attacks.

Tags: IIS, sql injection

For those supporting a Classic ASP and ASP.NET application, you probably have noticed an increase in sql injection attempts.  Microsoft has released an updated URLScan 3.0.    Here is the link to download URlScan version 3 beta for 32 bit or 64 bit.   You can read about on the blogs by Wade Hilmo and Nazim security blog.

I've been kicking the tires on URLScan 3.0.  One thing to remember when applying custom rules is to add them to the RuleList optionSearch for RuleList in urlscan.ini, and put the name of your rule, for example RuleList=SQL Injection Raw. Double quotes aren't needed around rules with spaces in the name.   When you apply a custom rule per the docs, make sure it shows up as started in the urlscan logs in c:\windows\system32\inetsrv\urlscan\logs.  

Here is what shows the rule has been loaded.  Notice it matches up the rule defined in our example below.

[06-23-2008 - 00:35:58] The following extensions will not be allowed: .exe, .bat, .cmd, .com, .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol, .dat, .config
[06-23-2008 - 00:35:58] The following URL sequences will be denied: .., ./, \, :, %%, &
[06-23-2008 - 00:35:58] The following Query String sequences will be denied:
[06-23-2008 - 00:35:58] The following rules are active: SQL Injection Raw

Here is an example sql injection rule

[SQL Injection Raw]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Raw Strings
ScanUrl=0
ScanAllRaw=1
ScanQueryString=0
ScanHeaders=

[SQL Injection Raw Strings]
--
@          ; also catches @@
alter
cast
create
declare
delete
drop
exec       ; also catches execute
fetch
insert
kill
select

One last thing to think about is which option you'll chose to be scanned.  The example rule choses ScanAllRaw. 

ScanUrl=0
ScanAllRaw=1
ScanQueryString=0
ScanHeaders=

Testing can help determine which characters to add to your custom rule.    To see if your rule is active and blocking requests.  Look in the URlScan logs.  Also, if someting is rejected, you can look in your IISLogs, Rejected by URLScan will be there.  Here are a couple examples.

URLScan example log entry
[06-24-2008 - 00:35:54] Client at 1.1.1.1: Rule 'SQL Injection Raw' detected string '--' in the header strings. Request will be rejected.  Site Instance='123456', Raw URL='/examplePage.aspx'

Example IIS Log entry 
ex080624.log:2008-06-24 00:00:03 192.168.0.98 GET /Rejected-By-UrlScan ~/examplePage.aspx 80 - 192.168.0.99 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+Creative+ZENcast+v2.00.13) http://example.com  404 0 2 1864 571 46

Log Parser query to detect and list Rejected URL's - change the from
LogParser.exe" -i:iisw3c "SELECT count(*) as hitCount, cs-uri-stem,cs-uri-query FROM <example.com> WHERE cs-uri-stem like '%Reject%' GROUP BY cs-uri-stem,cs-uri-query ORDER BY hitCount desc" -o:csv

Hope this helps,

Steve Schofield
Microsoft MVP - IIS