Re: URLScan and SQL Injection
From: BB (Bernard_at_3exp.com)
Date: 04/19/03
- Next message: Tom Babich: "Re: IIS5 can't download exe files"
- Previous message: Wade A. Hilmo [MS]: "Re: URLScan and SQL Injection"
- In reply to: Wade A. Hilmo [MS]: "Re: URLScan and SQL Injection"
- Next in thread: Karl Levinson [x y], mvp: "Re: URLScan and SQL Injection"
- Reply: Karl Levinson [x y], mvp: "Re: URLScan and SQL Injection"
- Reply: Wade A. Hilmo [MS]: "Re: URLScan and SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "BB" <Bernard_at_3exp.com> Date: Sat, 19 Apr 2003 11:33:25 +0800
Thanks Wade, after setting
NormalizeUrlBeforeScan=0
VerifyNormalization=0
now the %20 works perfectly. and I get what you mean
on the trailing issue, but just curious, won't it
better to have the above 2 set to 0 and don't
canonicalize the request for urlscan to scan ?
-- Regards, Bernard Cheah http://support.microsoft.com/ "Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message news:OFu3gCiBDHA.2288@TK2MSFTNGP12.phx.gbl... > Hi All, > > Unfortunately, you cannot include a semicolon in the [DenyUrlSequences] > section. That character is used by UrlScan as a comment delimiter, and > there is no mechanism to express it in the ini file as anything else. > > As for the space, there are two things that you need to know. First, > UrlScan looks at the URL after canonicalization has been done. Thus, if the > client sends "foo%20bar" or "foo+bar" in the URL, by the time UrlScan looks > at it, it will be "foo bar". As a result, checking for "%20" will generally > cause anything to be rejected because the canonicalizer will have reduced it > to a space. Of course, there are caveats to this, too. For example, > UrlScan can be configured to look at the raw URL as sent by the client (ie. > "NormalizeUrlBeforeScan=0" - FWIW, don't run in production with this > setting; it's much, much harder to write rules that account for all the > myriad ways undesirable characters can be encoded than it is to just scan > for the decoded result.) Another strange corner case is that a client could > send "%2520" in the URL. Since %25 is a '%' character, one pass through the > canonicalizer with "%2520" is reduced to "%20". Of course, you'd need to > set "VerifyNormalization=0" (another setting you shouldn't use in > production), or else the request would be rejected before the > [DenyUrlSequences] check. > > The second thing that you need to know about including spaces in the > UrlScan.ini file is that spaces are significant only if they are not > trailing. For example, you could block URLs with "foo bar", and if the > client sent "foo%20bar", it would get blocked. If you put "foo " in the > UrlScan.ini, though, it would get read by UrlScan as "foo", thus "foo" and > "foo%20" would both get blocked by this rule. Also, spaces preceding a > comment are not significant (ie. "foo ;bar" is also parsed as "foo".) > > I hope this all makes some sense. > > Thank you, > -Wade Hilmo, > -Microsoft > > "BB" <Bernard_at_3exp.com> wrote in message > news:ewuREnhBDHA.2376@TK2MSFTNGP10.phx.gbl... > > Thanks Karl, the unicode blocking is control by AllowHighBitCharacters. > > the one that I tested is is the %20 space.. it doesn't work. > > > > If compare with win2003, it is lockdown by default for mimemapping > > and web service extension that allow to run. but it doesn't really > > have such filtering if it's a valid extension. without MIME it will > > give you a 404.3. And 404.2 for unknown service extension, it doesn't > > really block request with %, ./ and etc. of coz parentpath is disabled > > by default. > > > > > > the test is just to see if it works if we add in new denyurls sequence. > > > > > > -- > > Regards, > > Bernard Cheah > > http://support.microsoft.com/ > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > news:evgqwIaBDHA.1888@TK2MSFTNGP12.phx.gbl... > > > Does URLScan filter? Yes, it does filter. > > > > > > I would suspect the problem that both of you will have with some of > those > > > characters is that AFAIK URLScan only checks the URL once [I believe > after > > > one pass at unicode decoding has been made]. Some of the characters > below > > > might no longer be in Unicode after this one pass, or they might still > be > > in > > > unicode format if they were encoded so that it takes two or more passes > at > > > decoding them. > > > > > > I'm just guessing here, but I would say that: > > > > > > * It's probably a good idea to add some of the characters below; > > > * You probably don't need to block the unicode characters below as > > unicode > > > in general is blocked by the default URLScan settings; > > > * You probably won't be able to block reserved characters such as the ; > > > semicolon, space, etc. > > > * Windows 2003 server may let you block additional characters. > > > > > > > > > "BB" <Bernard_at_3exp.com> wrote in message > > > news:eDS$VKVBDHA.1600@TK2MSFTNGP10.phx.gbl... > > > > Does it actually filter ? I tested %20 for space char, but > > > > it's not logged ... > > > > > > > > > > > > -- > > > > Regards, > > > > Bernard Cheah > > > > http://support.microsoft.com/ > > > > > > > > > > > > "jim c" <tjnaz2001@yahoo.com> wrote in message > > > > news:028d01c3054c$57a1c9e0$a501280a@phx.gbl... > > > > > Hello, > > > > > > > > > > Is it possible to use URLScan to help with SQL injection? > > > > > Is it recommended as a defense in depth approach to proper > > > > > programming? > > > > > > > > > > The INI file for URLScan uses semicolons for comments. Is > > > > > it possible to have it filter semicolons? > > > > > > > > > > Here is a list of meta characters that I found that are > > > > > commonly used in SQL injection. Obviously you cannot > > > > > blindly filter everything. > > > > > > > > > > [ ; ] Semicolons for additional command-execution > > > > > [ | ] Pipes for command-execution > > > > > [ ! ] Call signs for command-execution > > > > > [ & ] for command-execution > > > > > [ x20 ] Spaces for faking url s and other names (especial > > > > > in URLs!) > > > > > [ x00 ] Nullbytes for cutting off strings and filenames > > > > > [ x04 ] EOT for faking file ends > > > > > [ x0a ] Newlines for additional command-execution,fake- > > > > > mails and changing file-content > > > > > [ x0d ] Newlines for additional command-execution,fake- > > > > > mails and changing file-content > > > > > [ x1b ] Escape OS-dependent > > > > > [ x08 ] Backspace OS-dependend (faking logfiles, changing > > > > > file-content) > > > > > [ x7f ] Delete OS-dependent > > > > > [ ~ ] Tildes OS-dependent (circumvent authentication on > > > > > some ms-webservers) > > > > > [ ' " ] Quotation-marks in combination with database- > > > > > queries > > > > > [ - ] in combination with database-queries and creation of > > > > > negative numbers > > > > > [ *% ] in combination with database-queries > > > > > [ ` Backticks for command execution > > > > > [ /\ ] Slashes and Backslashes for faking paths and queries > > > > > [ <> ] LTs and GTs for file-operations > > > > > [ <> ] for creating script-language related TAGS within > > > > > documents on webservers! > > > > > [ ? ] programming/scripting- language related > > > > > [ $ ] programming/scripting- language related > > > > > [ @ ] programming/scripting- language related > > > > > [ : ] programming/scripting- language related > > > > > [ ({[]}) ] programming/scripting/regex and language-related > > > > > > > > > > > > > > > Is it worth doing and a good secondary defense to proper > > > > > programming? > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > > >
- Next message: Tom Babich: "Re: IIS5 can't download exe files"
- Previous message: Wade A. Hilmo [MS]: "Re: URLScan and SQL Injection"
- In reply to: Wade A. Hilmo [MS]: "Re: URLScan and SQL Injection"
- Next in thread: Karl Levinson [x y], mvp: "Re: URLScan and SQL Injection"
- Reply: Karl Levinson [x y], mvp: "Re: URLScan and SQL Injection"
- Reply: Wade A. Hilmo [MS]: "Re: URLScan and SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
