IIS 6 SQL Injection Sanitation ISAPI Wildcard

**Bob Barrows [MVP]** · Dec 10 '07, 05:25 PM

Re: IIS 6 SQL Injection Sanitation ISAPI Wildcard

Rodney Viana wrote:

IIS 6 SQL Injection Sanitation ISAPI Wildcard at

Your request has been blocked. This could be due to several reasons.

http://www.codeplex.com/IIS6SQLInjection

>
I created an ISAPI dll application to prevent SQL Injection attempts
by intercepting the HTTP requests and sanitizing both GET and POST
variables (or any combination of both) before the request reaches the
intended code. This is especially useful for legacy applications not
designed to deal with MS SQL Server Injection attempts. Though this
application was designed with MS SQL Server in mind, it can be used
with no or minimal changes with other database engines.
>
This ISAPI is only compatible with Internet Information Server (IIS)
6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
DOES NOT support ISAPI Wildcard.
>

Does it deal with the advanced injection techniques described in these
articles?

nextgenss.com

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

nextgenss.com

http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Are you using a blacklist of disallowed keywords? What if the data needs
to contain one of those keywords? I have a feeling that you and users of
this are getting a false sense of security and will fail to take the
only step guaranteed to stop SQL Injection: eliminate dynamic sql
entirely in favor of parameters.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

**=?Utf-8?B?Um9kbmV5IFZpYW5h?=** · Dec 10 '07, 05:45 PM

Re: IIS 6 SQL Injection Sanitation ISAPI Wildcard

Hi Bob,

Though the application filters pretty much all attacks in the articles you
cited, it is meant to solve problems with legacy applications not to shield
new applications (which should use parameters instead). You can do more than
include black lists, since it uses regular expression templates to transform
input patterns. The source code is also available, so anyone with C++ skills
can change the modus operandi.

Thanks,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL

"Bob Barrows [MVP]" wrote:

Rodney Viana wrote:

IIS 6 SQL Injection Sanitation ISAPI Wildcard at

Your request has been blocked. This could be due to several reasons.

http://www.codeplex.com/IIS6SQLInjection

I created an ISAPI dll application to prevent SQL Injection attempts
by intercepting the HTTP requests and sanitizing both GET and POST
variables (or any combination of both) before the request reaches the
intended code. This is especially useful for legacy applications not
designed to deal with MS SQL Server Injection attempts. Though this
application was designed with MS SQL Server in mind, it can be used
with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS)
6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which
DOES NOT support ISAPI Wildcard.

>
Does it deal with the advanced injection techniques described in these
articles?

nextgenss.com

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

nextgenss.com

http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

>
Are you using a blacklist of disallowed keywords? What if the data needs
to contain one of those keywords? I have a feeling that you and users of
this are getting a false sense of security and will fail to take the
only step guaranteed to stop SQL Injection: eliminate dynamic sql
entirely in favor of parameters.
>
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
>
>
>

**diksa** · Dec 11 '07, 02:25 AM

Re: IIS 6 SQL Injection Sanitation ISAPI Wildcard

On Dec 9, 9:57 pm, Rodney Viana
<RodneyVi...@di scussions.micro soft.comwrote:

IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.co m/IIS6SQLInjectio n
>
I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.
>
This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.
>
Cheers,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL

Hi,
I read your message and clearly understood the content,meanwhi le
i have bring you something i think you are going to like most because
in this age of computerisation everybody wants to be carry along,so i
invite you to visit the below site and get yourself doing any of these
things;look for someone that will work for you as a sales
agent,advertise your products,someon e to employ as a worker in
different field of profession,or work with the company yourself by
setting your own hour rate and work fee.You can as well create project
and place it on the site for bidding especially if you have products
for sell or project to be tackled,sign up is free do it now and start
to work immediately a lot of works are already waiting for you check
it by click on the link below now.

http://www.getafreelancer.com/rss/affiliate_diksa.xml

Thanks,
Sadiq.
+2348087228886

IIS 6 SQL Injection Sanitation ISAPI Wildcard

IIS 6 SQL Injection Sanitation ISAPI Wildcard

Comment

Comment

Comment