Re: IIS 6 SQL Injection Sanitation ISAPI Wildcard at Codeplex



On Dec 9, 1:53 pm, Rodney Viana
<RodneyVi...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.

Cheers,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL


Actually, IIS5's core request processing engine does support Wildcard
Application Mapping. It just does not support HSE_REQ_EXEC_URL which
is what allows one to "continue the request".


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.



Relevant Pages

  • RE: Blind SQL Injection Techniques
    ... Following SQL attacks are also there, ... Testing this for SQL injection is very simple. ... Assuming this parameter is indeed passed to an SQL request, ... syntax string expression. ...
    (Pen-Test)
  • Re: SQL Injection Question
    ... It looks as if the back end SQL query is generated dynamically from ... site was vulnerable to sql injection but it was minimal. ... return a requested recorded set not a failed request. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Suchfunktion
    ... Allerdings solltest du mal Google nach SQL Injection ... (Werte aus dem Request sollten nie ungeprüft ... MS MVP für ASP / ASP.Net ...
    (microsoft.public.de.inetserver.iis.asp)
  • Re: Custom Authentication ISAPI Filter on CE 3.0
    ... only the first request will have the filter called and the rest ... That's why your subsequent calls in the ISAPI ... On IIS one way this could work would be that your filter would copy a user ... > I have implemented an ISAPI filter that performs custom authentication ...
    (microsoft.public.windowsce.app.development)
  • Re: ISAPI vs. HTTPModule
    ... which parses the request and dispatches it to IIS in usermode. ... extension of the request is determined, and then sent to its handler. ... > ISAPI will not be able to access any .Net intrinsics/events. ...
    (microsoft.public.inetserver.iis)