What is URLScan? URLScan is a free tool provided by Microsoft that restricts certain kinds of HTTP requests that IIS will process. Though there are many different uses of URLScan, today I will only be covering SQL Injection blocking.
SQL Injections occur when attackers enter malformed SQL statements into data input fields. The attacker can modify or retrieve data from your database and, in some cases, they can even access data stored in your filesystem outside of SQL Server. If you find that you’re a victim of SQL Injection attacks and you’re not equipped to make all of the necessary changes to your application (or if the implementation of these changes could take a long time to implement) then URLScan may be a good fit for you until you can fix the root cause of the attack.
As of this writing, URLScan 3.1 is the latest edition and can be downloaded from Microsoft. A URLScan ISAPI filter is configured for all websites on your server after performing a default installation of URLScan. This ISAPI filter intercepts request for IIS and processes security rules defined in the URLScan.ini file against the requests.
The blocking of SQL injection attacks is handled by the DenyQueryStringSequences security rule. The rule matches IIS requests against a list of character sequences that you provide. If the request matches certain character sequences specified in the security rule, then the request is dropped, logged in the URLScan Logs, and a 404 status is returned. You can configure URLScan to only log requests that match your defined character sequences instead of blocking them. I would recommend starting off with the logging only mode so you can determine whether or not valid traffic may be blocked. If valid traffic is being blocked, you’ll need to modify the character sequences you are choosing to block.
Below is a configured DenyQueryStrinSequences security rule. I have added some of the most common SQL commands used in SQL Injection attacks:
[DenyQueryStringSequences] ; ; If any character sequences listed here appear in the query ; string for any request, that request will be rejected. ; < ; Commonly used by script injection attacks > ; Commonly used by script injection attacks -- @ ; also catches @@ ALTER CAST CONVERT CREATE DECLARE DELETE DROP EXEC ; also catches execute FETCH INSERT KILL SELECT
While URLScan can be used to block SQL Injection, it should not be the end-all solution in your environment. Security best practices should be enforced in your web application design to deal with these types of attacks. A secure web application will provide better protection against SQL Injections than URLScan can provide because a secure web application will invalidate all SQL Injection attempts, regardless of the character sequence used. This is mainly due to the nature of the security rule configuration in the URLScan.ini file and the variety of ways an SQL statement can be passed to the web server.
I’ll leave you with the following example to show how a crafty attacker could get around URLScan:
Suppose an attacker were to issue a SELECT statement but used SEL + ECT instead of SELECT. This would not match the character sequence defined in the DenyQueryStringSequences security rule defined above and would be processed as SELECT against your database due to the concatenation of the characters. You can imagine how many different variations can be conjured up. It would be extremely difficult to try to capture all of these. This is just one example of the many ways that an attacker can get around this.
So if you’re looking to buy some valuable time while you fix any security holes in your web application, URLscan is definitely a valuable tool for the majority of the SQL Injection attacks.
![[img]](/imagesb/yellow_star.jpg)
Share this article:
