Re: URLScan and SQL Injection
From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 04/18/03
- Next message: Karl Levinson [x y] mvp: "Re: SQL Server access after following the steps in IIS 5 Security Checklist"
- Previous message: Ahmad Arsalan: "ASP FIles Uncoding."
- In reply to: BB: "Re: URLScan and SQL Injection"
- Next in thread: BB: "Re: URLScan and SQL Injection"
- Reply: BB: "Re: URLScan and SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com> Date: Fri, 18 Apr 2003 08:06:20 -0400
Does URLScan filter? Yes, it does filter.
I would suspect the problem that both of you will have with some of those
characters is that AFAIK URLScan only checks the URL once [I believe after
one pass at unicode decoding has been made]. Some of the characters below
might no longer be in Unicode after this one pass, or they might still be in
unicode format if they were encoded so that it takes two or more passes at
decoding them.
I'm just guessing here, but I would say that:
* It's probably a good idea to add some of the characters below;
* You probably don't need to block the unicode characters below as unicode
in general is blocked by the default URLScan settings;
* You probably won't be able to block reserved characters such as the ;
semicolon, space, etc.
* Windows 2003 server may let you block additional characters.
"BB" <Bernard_at_3exp.com> wrote in message
news:eDS$VKVBDHA.1600@TK2MSFTNGP10.phx.gbl...
> Does it actually filter ? I tested %20 for space char, but
> it's not logged ...
>
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
>
>
> "jim c" <tjnaz2001@yahoo.com> wrote in message
> news:028d01c3054c$57a1c9e0$a501280a@phx.gbl...
> > Hello,
> >
> > Is it possible to use URLScan to help with SQL injection?
> > Is it recommended as a defense in depth approach to proper
> > programming?
> >
> > The INI file for URLScan uses semicolons for comments. Is
> > it possible to have it filter semicolons?
> >
> > Here is a list of meta characters that I found that are
> > commonly used in SQL injection. Obviously you cannot
> > blindly filter everything.
> >
> > [ ; ] Semicolons for additional command-execution
> > [ | ] Pipes for command-execution
> > [ ! ] Call signs for command-execution
> > [ & ] for command-execution
> > [ x20 ] Spaces for faking url s and other names (especial
> > in URLs!)
> > [ x00 ] Nullbytes for cutting off strings and filenames
> > [ x04 ] EOT for faking file ends
> > [ x0a ] Newlines for additional command-execution,fake-
> > mails and changing file-content
> > [ x0d ] Newlines for additional command-execution,fake-
> > mails and changing file-content
> > [ x1b ] Escape OS-dependent
> > [ x08 ] Backspace OS-dependend (faking logfiles, changing
> > file-content)
> > [ x7f ] Delete OS-dependent
> > [ ~ ] Tildes OS-dependent (circumvent authentication on
> > some ms-webservers)
> > [ ' " ] Quotation-marks in combination with database-
> > queries
> > [ - ] in combination with database-queries and creation of
> > negative numbers
> > [ *% ] in combination with database-queries
> > [ ` Backticks for command execution
> > [ /\ ] Slashes and Backslashes for faking paths and queries
> > [ <> ] LTs and GTs for file-operations
> > [ <> ] for creating script-language related TAGS within
> > documents on webservers!
> > [ ? ] programming/scripting- language related
> > [ $ ] programming/scripting- language related
> > [ @ ] programming/scripting- language related
> > [ : ] programming/scripting- language related
> > [ ({[]}) ] programming/scripting/regex and language-related
> >
> >
> > Is it worth doing and a good secondary defense to proper
> > programming?
> >
> > Thank you.
>
>
- Next message: Karl Levinson [x y] mvp: "Re: SQL Server access after following the steps in IIS 5 Security Checklist"
- Previous message: Ahmad Arsalan: "ASP FIles Uncoding."
- In reply to: BB: "Re: URLScan and SQL Injection"
- Next in thread: BB: "Re: URLScan and SQL Injection"
- Reply: BB: "Re: URLScan and SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
