IIS 6 SQL Injection Sanitation ISAPI Wildcard

Discussion in 'ASP General' started by Rodney Viana, Dec 9, 2007.

  1. Rodney Viana

    Rodney Viana Guest

    IIS 6 SQL Injection Sanitation ISAPI Wildcard at
    http://www.codeplex.com/IIS6SQLInjection

    I created an ISAPI dll application to prevent SQL Injection attempts by
    intercepting the HTTP requests and sanitizing both GET and POST variables (or
    any combination of both) before the request reaches the intended code. This
    is especially useful for legacy applications not designed to deal with MS SQL
    Server Injection attempts. Though this application was designed with MS SQL
    Server in mind, it can be used with no or minimal changes with other database
    engines.

    This ISAPI is only compatible with Internet Information Server (IIS) 6.0
    which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
    support ISAPI Wildcard.

    Cheers,
    --
    Rodney Viana, PMP
    MCSE+I MCDBA MCST MOSS, SQL
     
    Rodney Viana, Dec 9, 2007
    #1
    1. Advertising

  2. Rodney Viana wrote:
    > IIS 6 SQL Injection Sanitation ISAPI Wildcard at
    > http://www.codeplex.com/IIS6SQLInjection
    >
    > I created an ISAPI dll application to prevent SQL Injection attempts
    > by intercepting the HTTP requests and sanitizing both GET and POST
    > variables (or any combination of both) before the request reaches the
    > intended code. This is especially useful for legacy applications not
    > designed to deal with MS SQL Server Injection attempts. Though this
    > application was designed with MS SQL Server in mind, it can be used
    > with no or minimal changes with other database engines.
    >
    > This ISAPI is only compatible with Internet Information Server (IIS)
    > 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
    > DOES NOT support ISAPI Wildcard.
    >


    Does it deal with the advanced injection techniques described in these
    articles?
    http://www.nextgenss.com/papers/advanced_sql_injection.pdf
    http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

    Are you using a blacklist of disallowed keywords? What if the data needs
    to contain one of those keywords? I have a feeling that you and users of
    this are getting a false sense of security and will fail to take the
    only step guaranteed to stop SQL Injection: eliminate dynamic sql
    entirely in favor of parameters.

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
     
    Bob Barrows [MVP], Dec 10, 2007
    #2
    1. Advertising

  3. Rodney Viana

    Rodney Viana Guest

    Hi Bob,

    Though the application filters pretty much all attacks in the articles you
    cited, it is meant to solve problems with legacy applications not to shield
    new applications (which should use parameters instead). You can do more than
    include black lists, since it uses regular expression templates to transform
    input patterns. The source code is also available, so anyone with C++ skills
    can change the modus operandi.


    Thanks,
    --
    Rodney Viana, PMP
    MCSE+I MCDBA MCST MOSS, SQL


    "Bob Barrows [MVP]" wrote:

    > Rodney Viana wrote:
    > > IIS 6 SQL Injection Sanitation ISAPI Wildcard at
    > > http://www.codeplex.com/IIS6SQLInjection
    > >
    > > I created an ISAPI dll application to prevent SQL Injection attempts
    > > by intercepting the HTTP requests and sanitizing both GET and POST
    > > variables (or any combination of both) before the request reaches the
    > > intended code. This is especially useful for legacy applications not
    > > designed to deal with MS SQL Server Injection attempts. Though this
    > > application was designed with MS SQL Server in mind, it can be used
    > > with no or minimal changes with other database engines.
    > >
    > > This ISAPI is only compatible with Internet Information Server (IIS)
    > > 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
    > > DOES NOT support ISAPI Wildcard.
    > >

    >
    > Does it deal with the advanced injection techniques described in these
    > articles?
    > http://www.nextgenss.com/papers/advanced_sql_injection.pdf
    > http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
    >
    > Are you using a blacklist of disallowed keywords? What if the data needs
    > to contain one of those keywords? I have a feeling that you and users of
    > this are getting a false sense of security and will fail to take the
    > only step guaranteed to stop SQL Injection: eliminate dynamic sql
    > entirely in favor of parameters.
    >
    > --
    > Microsoft MVP -- ASP/ASP.NET
    > Please reply to the newsgroup. The email account listed in my From
    > header is my spam trap, so I don't check it very often. You will get a
    > quicker response by posting to the newsgroup.
    >
    >
    >
     
    Rodney Viana, Dec 10, 2007
    #3
  4. Rodney Viana

    diksa Guest

    On Dec 9, 9:57 pm, Rodney Viana
    <> wrote:
    > IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.com/IIS6SQLInjection
    >
    > I created an ISAPI dll application to prevent SQL Injection attempts by
    > intercepting the HTTP requests and sanitizing both GET and POST variables (or
    > any combination of both) before the request reaches the intended code. This
    > is especially useful for legacy applications not designed to deal with MS SQL
    > Server Injection attempts. Though this application was designed with MS SQL
    > Server in mind, it can be used with no or minimal changes with other database
    > engines.
    >
    > This ISAPI is only compatible with Internet Information Server (IIS) 6.0
    > which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
    > support ISAPI Wildcard.
    >
    > Cheers,
    > --
    > Rodney Viana, PMP
    > MCSE+I MCDBA MCST MOSS, SQL


    Hi,
    I read your message and clearly understood the content,meanwhile
    i have bring you something i think you are going to like most because
    in this age of computerisation everybody wants to be carry along,so i
    invite you to visit the below site and get yourself doing any of these
    things;look for someone that will work for you as a sales
    agent,advertise your products,someone to employ as a worker in
    different field of profession,or work with the company yourself by
    setting your own hour rate and work fee.You can as well create project
    and place it on the site for bidding especially if you have products
    for sell or project to be tackled,sign up is free do it now and start
    to work immediately a lot of works are already waiting for you check
    it by click on the link below now.
    http://www.getafreelancer.com/rss/affiliate_diksa.xml
    Thanks,
    Sadiq.
    +2348087228886
     
    diksa, Dec 11, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jan Kucera

    wildcard httphandler and iis

    Jan Kucera, May 4, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    5,175
    David Wang [Msft]
    May 5, 2006
  2. Phillip Sitbon
    Replies:
    0
    Views:
    742
    Phillip Sitbon
    Dec 20, 2005
  3. Replies:
    7
    Views:
    842
  4. WebService and IIS wildcard mapping = 405

    , Aug 7, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    141
  5. MKPrasad
    Replies:
    1
    Views:
    248
    Bob Barrows
    Dec 5, 2003
Loading...

Share This Page