Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > IIS 6 SQL Injection Sanitation ISAPI Wildcard

Reply
Thread Tools

IIS 6 SQL Injection Sanitation ISAPI Wildcard

 
 
Rodney Viana
Guest
Posts: n/a
 
      12-09-2007
IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.

Cheers,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL
 
Reply With Quote
 
 
 
 
Bob Barrows [MVP]
Guest
Posts: n/a
 
      12-10-2007
Rodney Viana wrote:
> IIS 6 SQL Injection Sanitation ISAPI Wildcard at
> http://www.codeplex.com/IIS6SQLInjection
>
> I created an ISAPI dll application to prevent SQL Injection attempts
> by intercepting the HTTP requests and sanitizing both GET and POST
> variables (or any combination of both) before the request reaches the
> intended code. This is especially useful for legacy applications not
> designed to deal with MS SQL Server Injection attempts. Though this
> application was designed with MS SQL Server in mind, it can be used
> with no or minimal changes with other database engines.
>
> This ISAPI is only compatible with Internet Information Server (IIS)
> 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
> DOES NOT support ISAPI Wildcard.
>


Does it deal with the advanced injection techniques described in these
articles?
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

Are you using a blacklist of disallowed keywords? What if the data needs
to contain one of those keywords? I have a feeling that you and users of
this are getting a false sense of security and will fail to take the
only step guaranteed to stop SQL Injection: eliminate dynamic sql
entirely in favor of parameters.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.


 
Reply With Quote
 
 
 
 
Rodney Viana
Guest
Posts: n/a
 
      12-10-2007
Hi Bob,

Though the application filters pretty much all attacks in the articles you
cited, it is meant to solve problems with legacy applications not to shield
new applications (which should use parameters instead). You can do more than
include black lists, since it uses regular expression templates to transform
input patterns. The source code is also available, so anyone with C++ skills
can change the modus operandi.


Thanks,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL


"Bob Barrows [MVP]" wrote:

> Rodney Viana wrote:
> > IIS 6 SQL Injection Sanitation ISAPI Wildcard at
> > http://www.codeplex.com/IIS6SQLInjection
> >
> > I created an ISAPI dll application to prevent SQL Injection attempts
> > by intercepting the HTTP requests and sanitizing both GET and POST
> > variables (or any combination of both) before the request reaches the
> > intended code. This is especially useful for legacy applications not
> > designed to deal with MS SQL Server Injection attempts. Though this
> > application was designed with MS SQL Server in mind, it can be used
> > with no or minimal changes with other database engines.
> >
> > This ISAPI is only compatible with Internet Information Server (IIS)
> > 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
> > DOES NOT support ISAPI Wildcard.
> >

>
> Does it deal with the advanced injection techniques described in these
> articles?
> http://www.nextgenss.com/papers/adva..._injection.pdf
> http://www.nextgenss.com/papers/more..._injection.pdf
>
> Are you using a blacklist of disallowed keywords? What if the data needs
> to contain one of those keywords? I have a feeling that you and users of
> this are getting a false sense of security and will fail to take the
> only step guaranteed to stop SQL Injection: eliminate dynamic sql
> entirely in favor of parameters.
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>
>

 
Reply With Quote
 
diksa
Guest
Posts: n/a
 
      12-11-2007
On Dec 9, 9:57 pm, Rodney Viana
<(E-Mail Removed)> wrote:
> IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.com/IIS6SQLInjection
>
> I created an ISAPI dll application to prevent SQL Injection attempts by
> intercepting the HTTP requests and sanitizing both GET and POST variables (or
> any combination of both) before the request reaches the intended code. This
> is especially useful for legacy applications not designed to deal with MS SQL
> Server Injection attempts. Though this application was designed with MS SQL
> Server in mind, it can be used with no or minimal changes with other database
> engines.
>
> This ISAPI is only compatible with Internet Information Server (IIS) 6.0
> which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
> support ISAPI Wildcard.
>
> Cheers,
> --
> Rodney Viana, PMP
> MCSE+I MCDBA MCST MOSS, SQL


Hi,
I read your message and clearly understood the content,meanwhile
i have bring you something i think you are going to like most because
in this age of computerisation everybody wants to be carry along,so i
invite you to visit the below site and get yourself doing any of these
things;look for someone that will work for you as a sales
agent,advertise your products,someone to employ as a worker in
different field of profession,or work with the company yourself by
setting your own hour rate and work fee.You can as well create project
and place it on the site for bidding especially if you have products
for sell or project to be tackled,sign up is free do it now and start
to work immediately a lot of works are already waiting for you check
it by click on the link below now.
http://www.getafreelancer.com/rss/affiliate_diksa.xml
Thanks,
Sadiq.
+2348087228886

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wildcard String Comparisons: Set Pattern to a Wildcard Source chaoticcranium@gmail.com Python 7 10-05-2010 09:26 PM
WebService and IIS wildcard mapping = 405 peter.furby@scriptserver.com ASP .Net Web Services 0 08-07-2006 03:28 PM
wildcard httphandler and iis Jan Kucera ASP .Net 2 05-05-2006 04:00 AM
New Python ISAPI extension for IIS (PyISAPIe) Phillip Sitbon Python 0 12-20-2005 11:39 PM
IIS Crash - Out-of-process ISAPI extension request failed MKPrasad ASP General 1 12-05-2003 09:11 PM



Advertisments