|
Home > Archive > IIS Server Security > December 2007 > IIS 6 SQL Injection Sanitation ISAPI Wildcard at Codeplex
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 6 SQL Injection Sanitation ISAPI Wildcard at Codeplex
|
|
| Rodney Viana 2007-12-09, 7:20 pm |
| IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection
I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.
Cheers,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL
| |
| David Wang 2007-12-10, 7:19 pm |
| On Dec 9, 1:53 pm, Rodney Viana
<RodneyVi...@discussions.microsoft.com> wrote:
> IIS 6 SQL Injection Sanitation ISAPI Wildcard athttp://www.codeplex.com/IIS6SQLInjection
>
> I created an ISAPI dll application to prevent SQL Injection attempts by
> intercepting the HTTP requests and sanitizing both GET and POST variables (or
> any combination of both) before the request reaches the intended code. This
> is especially useful for legacy applications not designed to deal with MS SQL
> Server Injection attempts. Though this application was designed with MS SQL
> Server in mind, it can be used with no or minimal changes with other database
> engines.
>
> This ISAPI is only compatible with Internet Information Server (IIS) 6.0
> which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
> support ISAPI Wildcard.
>
> Cheers,
> --
> Rodney Viana, PMP
> MCSE+I MCDBA MCST MOSS, SQL
Actually, IIS5's core request processing engine does support Wildcard
Application Mapping. It just does not support HSE_REQ_EXEC_URL which
is what allows one to "continue the request".
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
| |
| Rodney Viana 2007-12-10, 7:19 pm |
| Hi David,
I did not know IIS 5 could deal with ISAPI wildcard. Thanks for the
heads-up. But this wildcard (as many others) relies on HSE_REQ_EXEC_URL. So,
it cannot run on IIS 5 anyway.
I would also like to let you know that your blog was very important when I
was researching for this application. Not many people talk about ISAPI
development.
Take care,
--
Rodney Viana, PMP
MCSE+I MCDBA MCST MOSS, SQL
"David Wang" wrote:
> On Dec 9, 1:53 pm, Rodney Viana
> <RodneyVi...@discussions.microsoft.com> wrote:
>
>
> Actually, IIS5's core request processing engine does support Wildcard
> Application Mapping. It just does not support HSE_REQ_EXEC_URL which
> is what allows one to "continue the request".
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
|
|
|
|
|