Re: HELP! - I need to setup a temporary IIS redirect while I fix SQL Injection vulnerabilities on my site
- From: David Wang <w3.4you@xxxxxxxxx>
- Date: Sat, 17 May 2008 18:38:32 -0700 (PDT)
On May 17, 2:23 pm, dsa157 <dsa...@xxxxxxxxx> wrote:
Hi all -
My site has been hot by the latest wave of SQL Injection attacks. I
(sorta) understand what I need to do to fix things, but it is going to
take a *lot* of work that'll be pretty time consuming as the site is a
hodge podge of classic ASP and ASP.Net and hand rolled scripts etc.
What I'd like to do in the meantime is redirect any web request that
comes in with a substring that I know I don't want to process, ie if
the URL contains "=CAST", I'd like to throw it out.
Can I go a global redirect like this in IIS to prevent the request
from every getting to my database back end? if so, how do I do it?
Thanks in advance!
Dave
There are no features in IIS that behave like you describe.
There are add-on extension modules that behave like that.
- There is URLScan that will reject requests based on certain
criteria, but it will NOT scan the Querystring.
- There are other ISAPI Filters of various reputation which
[foolishly] scans the querystring to reject requests.
In general, trying to do this temporary redirection is going the wrong
way, even temporary. All it takes is a few encodings/permutations and
all those hard-coded redirection filters are rendered useless. And
since Querystring has no defined encoding in the HTTP specification,
you're pretty much wasting your time.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.
- References:
- Prev by Date: HELP! - I need to setup a temporary IIS redirect while I fix SQL Injection vulnerabilities on my site
- Next by Date: Re: LDAPS
- Previous by thread: HELP! - I need to setup a temporary IIS redirect while I fix SQL Injection vulnerabilities on my site
- Index(es):
Relevant Pages
|
