473,791 Members | 3,097 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

IIS 6 SQL Injection Sanitation ISAPI Wildcard

IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.

Cheers,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL
Dec 9 '07 #1
3 5420
Rodney Viana wrote:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts
by intercepting the HTTP requests and sanitizing both GET and POST
variables (or any combination of both) before the request reaches the
intended code. This is especially useful for legacy applications not
designed to deal with MS SQL Server Injection attempts. Though this
application was designed with MS SQL Server in mind, it can be used
with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS)
6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
DOES NOT support ISAPI Wildcard.
Does it deal with the advanced injection techniques described in these
articles?
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

Are you using a blacklist of disallowed keywords? What if the data needs
to contain one of those keywords? I have a feeling that you and users of
this are getting a false sense of security and will fail to take the
only step guaranteed to stop SQL Injection: eliminate dynamic sql
entirely in favor of parameters.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Dec 10 '07 #2
Hi Bob,

Though the application filters pretty much all attacks in the articles you
cited, it is meant to solve problems with legacy applications not to shield
new applications (which should use parameters instead). You can do more than
include black lists, since it uses regular expression templates to transform
input patterns. The source code is also available, so anyone with C++ skills
can change the modus operandi.
Thanks,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL
"Bob Barrows [MVP]" wrote:
Rodney Viana wrote:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts
by intercepting the HTTP requests and sanitizing both GET and POST
variables (or any combination of both) before the request reaches the
intended code. This is especially useful for legacy applications not
designed to deal with MS SQL Server Injection attempts. Though this
application was designed with MS SQL Server in mind, it can be used
with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS)
6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
DOES NOT support ISAPI Wildcard.

Does it deal with the advanced injection techniques described in these
articles?
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf

Are you using a blacklist of disallowed keywords? What if the data needs
to contain one of those keywords? I have a feeling that you and users of
this are getting a false sense of security and will fail to take the
only step guaranteed to stop SQL Injection: eliminate dynamic sql
entirely in favor of parameters.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Dec 10 '07 #3
On Dec 9, 9:57 pm, Rodney Viana
<RodneyVi...@di scussions.micro soft.comwrote:
IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.co m/IIS6SQLInjectio n

I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.

Cheers,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL
Hi,
I read your message and clearly understood the content,meanwhi le
i have bring you something i think you are going to like most because
in this age of computerisation everybody wants to be carry along,so i
invite you to visit the below site and get yourself doing any of these
things;look for someone that will work for you as a sales
agent,advertise your products,someon e to employ as a worker in
different field of profession,or work with the company yourself by
setting your own hour rate and work fee.You can as well create project
and place it on the site for bidding especially if you have products
for sell or project to be tackled,sign up is free do it now and start
to work immediately a lot of works are already waiting for you check
it by click on the link below now.
http://www.getafreelancer.com/rss/affiliate_diksa.xml
Thanks,
Sadiq.
+2348087228886

Dec 11 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
3261
problem with Microsoft.XMLHTTP post to an isapi dll
by: Irene | last post by:
Hi, I have an asp page that allows a user to search for info in a DB and add info to a DB. The search uses "ADODB.Connection" objects in the page, but the add will use a call to an isapi dll via the "Microsoft.XMLHTTP" object. The results of the isapi dll will be displayed to the user without refreshing the asp page. I have a code snippet below for the isapi call. WHat is happening is that the xmlhttp.responseText from the snippet...
ASP / Active Server Pages
1
3228
Wildcard handling with STL
by: Generic Usenet Account | last post by:
Here's the requirement that I am trying to satisfy: Handle wildcards in STL such that the wildcard entry is encountered before non-wildcard entries while traversing containers like sets and maps. I have come up with two approaches, one using inheritance and the other using composition. I am unable to decide which one is better. The sample source code follows.
C / C++
6
1776
ISAPI in C++.net Book Recommendation Needed
by: msnews.microsoft.com | last post by:
I am a C# programmer with a little C++ experience from a few years ago. I need to write some ISAPI filters and extensions to run on the latest version of IIS on .net Server 2003. Can anyone recommend an excellent book that has some decent samples to get an out of shape C++ programmer and ISAPI beginner going? Thank you.
C# / C Sharp
3
2260
ISAPI that use managed extension does not work under IIS6 ?
by: Lionel Schiepers | last post by:
I rencently tested an web application with ISAPI extensions that internally use managed extensions but the call to the ISAPI failed. I receive the following message: "A dynamic link library (DLL) initialization routine failed." in my browser. These ISAPI extension work when they execute under W2K or WXP. To reproduce the problem, I've create a simple isapi extension with visual studio 2002 and visual studio 2003 and changed the code with:
.NET Framework
2
2602
Using ISAPI filter with .net for URL Rewriting
by: Jon Maz | last post by:
Hi All, I've been looking into options for URL Rewriting in .net, and to be honest, I haven't seen anything that's easier than the old Classic Asp solution with an ISAPI filter redirecting to an .asp page with responsibility for handling the redirect. I'm now planning to use this solution with my next .net project, and was wondering if anyone else out there has done this already, and what problems (if any) arise. Hopefully the news...
ASP.NET
10
4254
ISAPI filter or http module
by: Guoqi Zheng | last post by:
I know I can use http module in my asp.net project to rewrite url. However that is only true for .aspx page, there are many other static page in my application such as .htm. .asp, etc. My question is: 1. Is it possible to map all those request (.gif, .jpg, .swf, .asp, .htm, whatever) to my http module first? 2. Or in this situation, I have to use a ISAPI filter?
ASP.NET
10
1459
SQL injection
by: MattB | last post by:
I have a name lookup form that passes the contents of two text boxes to a sql query. I've noticed that someone can substitute % for letters and wildcard the query. I know I could just disallow that character, but is there a commonly accepted way to stop all of these kinds of attacks? I see asp.net automatically disallows characters like "<>" but not %. What else should I be on the lookout for? Thanks! Matt
ASP.NET
6
1538
does url rewriting use isapi
by: trooperbill | last post by:
.... and if so how (using basic asp, not .net)? thanks Mark www.iosilver - Silver Jewellery
ASP / Active Server Pages
8
3881
Email injection on a contact form
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any suspicious bouncebacks in quite some time and got many custom alerts I had set up for notifying me of injection attempts. However, just the other day, I got a bounceback from an AOL address which leads me to believe that an injection attempt was...
PHP
0
9515
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10427
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10207
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
9029
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7537
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6776
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5431
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
1
4110
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3718
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us