How IIS can help with SQL Injection

Thursday, December 18, 2008

2008 has been a busy year for attackers exploiting SQL Injection vulnerabilities in web applications. Once again, I am finding questions about this subject in my inbox.

Earlier today, I found myself reviewing the material that's been published by Microsoft and others. I was searching for a single, concise link that I could send out to describe what IIS's various filtering tools can do and how to set them up for the job.

It turns out that there are so many articles out there, that the core "what can I do about it" message has been lost in the deluge. For someone new to the issue, who just wants to know what to do, there is no good starting place.

This post is my attempt to provide that starting place.

Before getting into the details, no discussion about SQL Injection filtering is complete without the following caveat: Filtering for SQL Injection is nothing more than a tool to help mitigate the issue. It is not the final solution and it is not foolproof. The only complete solution to prevent SQL Injection over the web is to fix vulnerable web applications on the server. For lots of in-depth information about the root cause of SQL Injection vulnerabilities and strategies for fixing them, here are some suggested links:

Definition of SQL Injection
SQL Server Injection Protection
Preventing SQL Injections in ASP
How To: Protect from SQL Injection in ASP.NET
Coding Techniques for protecting against SQL Injection in ASP.NET
Filtering SQL Injection from Classic ASP
Security Vulnerability Research & Defense Blog on SQL Injection Attack

What that caveat out of the way, here is how IIS can help to mitigate against SQL Injection attacks:

It is possible to filter input to IIS so that HTTP requests containing information deemed dangerous by the server administrator can be blocked before a web application is allowed to process them. In the context of SQL Injection, this means that IIS can look for SQL statements in various parts of the request and shut them down before they become a problem.

The actual tools and methods for doing this are different for different IIS versions. Starting with IIS 7, request filtering is included as a core feature and is installed by default on all IIS 7 servers. Prior to IIS 7, IIS did not have this feature built in, but it is available as an add-on component. So for IIS 6 and earlier, request filtering is accomplished via the UrlScan tool available as a free download.

I have prepared posts describing step-by-step instructions for setting up filtering for SQL Injection attempts at the following links:

To set up SQL Injection filtering for IIS 7 and later, go here.
To set up SQL Injection filtering for IIS 6 and earlier, go here.

Finally, it has become very clear to me today that the state of the art changes pretty rapidly. I've seen many articles that talk about betas and other versions that were current at the time they were written - but are no longer current today. I fully expect that the blog posts I'm writing today are going to fall victim to that same trend.

To address that issue, I am going to see if we can set up an area on iis.net for security articles that are always kept current. Once we have that, we can put a SQL Injection article there and let that be the canonical location for guidance from the IIS team on that topic. With the holidays approaching, it will likely be well into January before I can make this happen, but it's now on my agenda.

Thanks,
-Wade

"What that caveat out of the way" should be "With..." I guess..

Anonymous - Tuesday, December 30, 2008 7:47:59 AM

How to use Adsutil.vbs to set my virtual Directory(my web site) process identity to Local system..Please help me out im struggling from 2 days...

Anonymous - Wednesday, January 28, 2009 12:57:18 PM

2 Comments