First Release

Rating:        Based on 3 ratings
Reviewed:  2 reviews
Downloads: 6832
Released: Dec 1, 2007
Updated: Dec 1, 2009 by rviana
Dev status: Stable Help Icon

Recommended Download

Application Installation Package v.2.0 32bits FINAL-incl. Log and Exclusions
application, 8755K, uploaded Dec 1, 2009 - 2590 downloads

Other Available Downloads

Source Code Boost Source Code (used in the project but not needed for installation)
source code, 45050K, uploaded Dec 1, 2007 - 753 downloads
Documentation Installation video
documentation, 12307K, uploaded Dec 28, 2007 - 2515 downloads
Application Installation Package 64-bit (beta 0.8) Please give feedback
application, 3819K, uploaded Jul 4, 2008 - 184 downloads
Application Boost1.35.0-unzip on C:\projects\IIS6SQLInjection
application, 64421K, uploaded Aug 21, 2008 - 291 downloads
Application Installation Package v. 1.5 32bits - Compatible with Frontpage Extensions
application, 3562K, uploaded Aug 23, 2008 - 499 downloads

Release Notes

Project Description

This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.

Important
I have deleted the previous version (1.0) which had about 2,000 downloads. The new version include some features requested by users in the discussion post. Add 2,354 to the number of downloads if you want to know how many people have downloaded the filter so far.

Installation Package v. 2.0 32bits-BETA - It includes an application to change configuration, the possibility of excluding files to be filtered, logging and a better installer including the C++ dependencies. It is compatible with ASP and ASP.NET. It is the preferred download. The only BETA part is the log capability, all the rest is stable.

Installation Package v. 1.5 32bits - Compatible with Frontpage Extensions - is compatible with both classic ASP and ASP.NET.


Introduction

This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT fully support ISAPI Wildcard.

Background

SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:

C#:
stringSQL = "SELECT * FROM users WHERE userName = \'" UserId.Text "\';";

Classic ASP:
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"

If the UserId is entered as: '; DELETE TABLE xxxx; -- the SQL query sent to the database will be:

SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';

Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 -- the resulting SQL query will be:

SELECT * FROM users WHERE userName = '' OR 1=1 --';

Forcing the return of all rows from table "users".

By Rodney Viana
http://www.rodneyviana.com

Download Installer
First Release

Installation
A video describing the step-by-step installation is available for download in this page.
You can also see written instructions in this Discussion thread: Installation
Version 1.5 is compatible with both classic ASP and ASP.NET.

64-bit Version (beta): The instructions are similar and the install video works the same as well, but the install folder differs and there is no test application, but the test site material is there.

ONLY FOR USERS WITH VERSIONS BEFORE 1.5: Zachary Johnson has identified an issue when someone attacks using both GET and POST at the same time in a very specific situation that also requires access to the receiving form. This could cause the SQL Injection to pass throught in some cases. All versions in this download are free of this problem. If you have a previous version, please update to version 1.5. The update is not available for 64 bits yet.

Reviews for this release

     
dddddddddd
by yaschiro on Mar 24, 2015 at 2:02 AM
     
how are you...
by xiaogang8800 on Dec 30, 2009 at 12:50 PM