Re: URLScan and SQL Injection

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/29/04 

Date: Sat, 28 Feb 2004 21:50:14 -0800

You are ASSUMING that a hacker attack would actually "follow the rules".

It is perfectly legal for software to use POST to retrieve form-entity data
that is posted and also to look at QueryString for more options. It is
perfectly legal for software to use GET for the exact same purpose. The
QueryString is ALWAYS opaque data for the application and impossible to
filter 100% correctly.

In other words -- what SecureIIS offers in this feature is not bullet-proof
and is practically useless for all the prior reasons that I had mentioned.

In the long term, you will be better served by writing secure code instead
of hoping to "snap on" security that partially alleviates your problem.
Security is a state of constant mindful configuration and not a product to
be "snapped on" and forgotten. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Chuck Wyatt" <cwyatt@rcn.com> wrote in message
news:5b7b562c.0402270334.3d0040f2@posting.google.com...
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:<eRHPvqL$DHA.268@TK2MSFTNGP10.phx.gbl>...
>  For example, suppose you use a web
> mail package that passes the email title around in the querystring -- with
> your filtering, legitimate emails with "select" and "update" in them will
be
> rejected.
Isn't it the case that the email would be processed using POST, while
with the SQL injection hacking, we are primarily concerned with GET
(query strings) ?  My assumption, though I could be wrong here, is
that SecureIIS is blocking the passing of these keywords in the query
string (GET) rather than POST.
thanks,
Chuck
Quantcast