URLScan 3.0 – help with sql injection attacks.

For those supporting a Classic ASP and ASP.NET application, you probably have noticed an increase in sql injection attempts.  Microsoft has released an updated URLScan 3.0.    Here is the link to download URlScan version 3 beta for 32 bit or 64 bit.   You can read about on the blogs by Wade Hilmo and Nazim security blog.

I’ve been kicking the tires on URLScan 3.0.  One thing to remember when applying custom rules is to add them to the RuleList optionSearch for RuleList in urlscan.ini, and put the name of your rule, for example RuleList=SQL Injection Raw. Double quotes aren’t needed around rules with spaces in the name.   When you apply a custom rule per the docs, make sure it shows up as started in the urlscan logs in c:windowssystem32inetsrvurlscanlogs.  

Here is what shows the rule has been loaded.  Notice it matches up the rule defined in our example below.

[06-23-2008 – 00:35:58] The following extensions will not be allowed: .exe, .bat, .cmd, .com, .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol, .dat, .config
[06-23-2008 – 00:35:58] The following URL sequences will be denied: .., ./, , :, %%, &
[06-23-2008 – 00:35:58] The following Query String sequences will be denied:
[06-23-2008 – 00:35:58] The following rules are active: SQL Injection Raw

Here is an example sql injection rule

[SQL Injection Raw]
DenyDataSection=SQL Injection Raw Strings

[SQL Injection Raw Strings]

@          ; also catches @@
exec       ; also catches execute

One last thing to think about is which option you’ll chose to be scanned.  The example rule choses ScanAllRaw. 


Testing can help determine which characters to add to your custom rule.    To see if your rule is active and blocking requests.  Look in the URlScan logs.  Also, if someting is rejected, you can look in your IISLogs, Rejected by URLScan will be there.  Here are a couple examples.

URLScan example log entry
[06-24-2008 – 00:35:54] Client at Rule ‘SQL Injection Raw’ detected string ‘–‘ in the header strings. Request will be rejected.  Site Instance=’123456′, Raw URL=’/examplePage.aspx’

Example IIS Log entry 
ex080624.log:2008-06-24 00:00:03 GET /Rejected-By-UrlScan ~/examplePage.aspx 80 – Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+Creative+ZENcast+v2.00.13) http://example.com  404 0 2 1864 571 46

Log Parser query to detect and list Rejected URL’s – change the from
LogParser.exe” -i:iisw3c “SELECT count(*) as hitCount, cs-uri-stem,cs-uri-query FROM <example.com> WHERE cs-uri-stem like ‘%Reject%’ GROUP BY cs-uri-stem,cs-uri-query ORDER BY hitCount desc” -o:csv

Hope this helps,

Steve Schofield
Microsoft MVP – IIS

One thought on “URLScan 3.0 – help with sql injection attacks.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s