Using SPF to protect against SQL Injection worms

Source: Internet
Author: User
Tags classic asp

When SPF was first released last month, I knew it was a great protection mechanic to thwart attacks against applications running on IIS. what I didn't realize was that the most urgent gap that it fills is that of thwarting SQL Injection worms.

Microsoft has pitched URLScan V3 as a band-aid solution to protect against SQL Injection worm attacks on classic ASP and ASP. NET applications. the reality is that URLScan's capabilities to protect applications-level attacks are quite limited. specifically, URLScan is not able analyze post data and lacks support for regular expressions. this combined with the inability to include or exclude specific URLs leaves into Users unable to adequately protect their vulnerable applications. unfortunately with URLScan it's an all or nothing approach.

SPF overcomes both of these condition comings. unlike URLScan, SPF is specifically designed to th1_application-level attacks. URLScan is not. URLScan was originally designed to protect IIS web servers from the onslaught of Web Server attacks that surfaced shortly after the turn of the millennium (I. e. code red, Nimda, etc ). URLScan is very valid tive as a server-level protection mechanic; however the reality is that it simply was not designed to be an application-level protection mechanic.

Last week, an updated beta of SPF was released which has been significantly optimized for performance in black-list only configuration mode. I have come up with the following sample configuration which can be used to protect IIS6 applications from SQL injection attacks (applications hosted on iis7 can also use this configuration ). keep in mind that these patterns are designed to prevent false positive hits while still allowing most sites to function; using blanket deny rules against strings like "exec", for example, won't work in most real-world situations (strings like this occur way too often in most free-text submissions ). I experienced this first-hand when attempting to implement URLScan on a customer website using the sample SQL Injection rules published on the IIS. net security blog.

The black-list only sample configuration for SPF is shown below:

<spfConfig logDirectory="c:\\temp\\logs" protectForm="false" protectUri="false"protectQueryString="false" protectCookie="false" protectMode="Active"defaultUrl="/default.asp"><protectedFileExtensions><add extension=".asp" /><add extension=".aspx" /></protectedFileExtensions><blackListPatterns><add patternRegex="(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)\\s+.*\\s+(from|into|table|database|index|view|set)" applyTo="all" /><add patternRegex="'?\\s+OR\\s.+=" applyTo="all" /><add patternRegex="(--|;|*|@@|0x|DECLARE|..|.dbo.)" applyTo="all" /><add patternRegex="(CAST|EXEC|CHAR)(%|()" applyTo="all" /><add patternRegex="(s|x)p_" applyTo="all" /></blackListPatterns></spfConfig>

If anyone has any additional ideas on good SQL attack patterns to look for, feel free to share your thoughts. keep in mind SPF blacklistpatterns are not case sensitive and are applied to decoded request data. as always, this is not intended to be permanent solution for SQL injection (as opposed to fixing your code ); however it certainly raises the bar for bad guys and will buy you some time to implement the optimal fix.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.