IIS 6 SQL Injection Sanitation ISAPI Wildcard

[Rodney Viana]

IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.

Cheers,

 

[Bob Barrows [MVP]]

IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts
by intercepting the HTTP requests and sanitizing both GET and POST
variables (or any combination of both) before the request reaches the
intended code. This is especially useful for legacy applications not
designed to deal with MS SQL Server Injection attempts. Though this
application was designed with MS SQL Server in mind, it can be used
with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS)
6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
DOES NOT support ISAPI Wildcard.

Does it deal with the advanced injection techniques described in these
articles?
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Are you using a blacklist of disallowed keywords? What if the data needs
to contain one of those keywords? I have a feeling that you and users of
this are getting a false sense of security and will fail to take the
only step guaranteed to stop SQL Injection: eliminate dynamic sql
entirely in favor of parameters.

 

[Rodney Viana]

Hi Bob,

Though the application filters pretty much all attacks in the articles you
cited, it is meant to solve problems with legacy applications not to shield
new applications (which should use parameters instead). You can do more than
include black lists, since it uses regular expression templates to transform
input patterns. The source code is also available, so anyone with C++ skills
can change the modus operandi.


Thanks,

 

[diksa]

IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.

Cheers,

Hi,
I read your message and clearly understood the content,meanwhile
i have bring you something i think you are going to like most because
in this age of computerisation everybody wants to be carry along,so i
invite you to visit the below site and get yourself doing any of these
things;look for someone that will work for you as a sales
agent,advertise your products,someone to employ as a worker in
different field of profession,or work with the company yourself by
setting your own hour rate and work fee.You can as well create project
and place it on the site for bidding especially if you have products
for sell or project to be tackled,sign up is free do it now and start
to work immediately a lot of works are already waiting for you check
it by click on the link below now.
http://www.getafreelancer.com/rss/affiliate_diksa.xml
Thanks,
Sadiq.
+2348087228886