This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.Important
I have deleted the previous version (1.0) which had about 2,000 downloads. The new version include some features requested by users in the discussion post. Add 2,354 to the number of downloads if you want to know how many people have downloaded the filter so far.Installation Package v. 2.0 32bits-BETA - It includes an application to change configuration, the possibility of excluding files to be filtered, logging and a better installer including the C++ dependencies. It is compatible with ASP and ASP.NET. It is the preferred download. The only BETA part is the log capability, all the rest is stable.Installation Package v. 1.5 32bits - Compatible with Frontpage Extensions - is compatible with both classic ASP and ASP.NET.Introduction
This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT fully support ISAPI Wildcard. Background
SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:
stringSQL = "SELECT * FROM users WHERE userName = \'" UserId.Text
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"
If the UserId is entered as: '; DELETE TABLE xxxx; --
the SQL query sent to the database will be: SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';
Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 --
the resulting SQL query will be: SELECT * FROM users WHERE userName = '' OR 1=1 --';
Forcing the return of all rows from table "users". By Rodney Vianahttp://www.rodneyviana.comDownload InstallerFirst ReleaseInstallation
A video describing the step-by-step installation is available for download in this page.
You can also see written instructions in this Discussion thread: InstallationVersion 1.5 is compatible with both classic ASP and ASP.NET.64-bit Version (beta):
The instructions are similar and the install video works the same as well, but the install folder differs and there is no test application, but the test site material is there.ONLY FOR USERS WITH VERSIONS BEFORE 1.5:
Zachary Johnson has identified an issue when someone attacks using both GET and POST at the same time in a very specific situation that also requires access to the receiving form. This could cause the SQL Injection to pass throught in some cases. All versions in this download are free of this problem. If you have a previous version, please update to version 1.5
. The update is not available for 64 bits yet.