urlscan and items after ?

TheMSsForum.com: The Microsoft Software Forum

Does urlscan ignore the rest of the querystring after "?" and if so, is there
a way to get it to process the entire querystring? I can include invalid
characters in the querystring after the ? and urlscan allows them - sql
injection becomes quite a problem then : )
Top

Re: urlscan and items after ? by Tiago

Tiago
Thu Jul 14 18:11:26 CDT 2005

KodeIT IISShield - Applicaiton Layer Firewall - filters the QueryString and
much more.
You can find a detailed comparison of both products at:
http://www.kodeit.org/products/iisshield/compare.htm

Latest version 1.0.4, is only compatible up to IIS5, or IIS6 in "IIS5
Isolation Mode".
The IIS6 version will be available soon.

Tiago Halm
KodeIT Development Team
http://www.kodeit.org


"Adam" <adamtuliper@online.nospam> wrote in message
news:673438F1-2D6B-4654-8ACD-24AB29D5C407@microsoft.com...
> Does urlscan ignore the rest of the querystring after "?" and if so, is
there
> a way to get it to process the entire querystring? I can include invalid
> characters in the querystring after the ? and urlscan allows them - sql
> injection becomes quite a problem then : )
>


Top

RE: urlscan and items after ? by v-wdxu

v-wdxu
Thu Jul 14 21:05:00 CDT 2005

Hi,

For detecting the URL?based attack, we could specify this in the section
[DenyUrlSequences] of URLScan.INI file. If the string configued in the
urlscan.ini is found in the URL, 404 will be sent back to the client. So
for retrieving valid url querystring, you will need to set the limited
string very carefully. This kb article will introduce more information on
these for you:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;326444#XSLTH42461
21123120121120120

Please feel free to let me know if you have any question. It is my pleasure
to be of any assistance.

Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.


Top

RE: urlscan and items after ? by adamtuliper

adamtuliper
Thu Jul 14 22:16:02 CDT 2005

Hmm... Im not sure this works as you described it. I found a posting on the
net someone described that urlscan stops at the "?". My testing shows this.
Its possible I have something misconfigured but I've tried this for ex:

1. http://localhost/b%32ip/something.aspx
2. http://localhost/bip/something.aspx?b%32ip
#1 fails as expected, #2 is completely ignored by urlscan. I have %32 for
ex. configured to deny that sequence.. so it obviously works some of the time.

So back at square 1. I wrote a filter today to handle it.. but have to think
Im configuring something incorrectly - Id find it hard to believe urlscan
wouldn't do something simple like this, but my tests aren't working as I had
hoped.


"Wei-Dong XU [MSFT]" wrote:

> Hi,
>
> For detecting the URL?based attack, we could specify this in the section
> [DenyUrlSequences] of URLScan.INI file. If the string configued in the
> urlscan.ini is found in the URL, 404 will be sent back to the client. So
> for retrieving valid url querystring, you will need to set the limited
> string very carefully. This kb article will introduce more information on
> these for you:
> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;326444#XSLTH42461
> 21123120121120120
>
> Please feel free to let me know if you have any question. It is my pleasure
> to be of any assistance.
>
> Best Regards,
> Wei-Dong XU
> Microsoft Product Support Services
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
Top

Re: urlscan and items after ? by David

David
Fri Jul 15 21:05:01 CDT 2005

Actually, URLScan intentionally ignores data after the ? (the querystring),
and it is by-design.

This is a pretty frequently asked question, and believe me, what you are
asking to do is NOT as simple as you think. You simply have a hack that only
works for some of the situations that you want to cover.

Yes, there are tools out there that allow you to scan the querystring, and
yes, you can write custom filters yourself, but the general problem of
"scanning querystring data" cannot be solved correctly 100% of the time.
Thus, URLScan does not even pretend to solve it, unlike other tools --
URLScan is a security tool, so when it says it can do something, it must be
100% correct.

I'm writing up a blog entry about this common misconception and will post
the URL link when I finish.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Adam" <adamtuliper@online.nospam> wrote in message
news:57DA0343-9933-4119-AD6C-127DA4B5066F@microsoft.com...
Hmm... Im not sure this works as you described it. I found a posting on the
net someone described that urlscan stops at the "?". My testing shows this.
Its possible I have something misconfigured but I've tried this for ex:

1. http://localhost/b%32ip/something.aspx
2. http://localhost/bip/something.aspx?b%32ip
#1 fails as expected, #2 is completely ignored by urlscan. I have %32 for
ex. configured to deny that sequence.. so it obviously works some of the
time.

So back at square 1. I wrote a filter today to handle it.. but have to think
Im configuring something incorrectly - Id find it hard to believe urlscan
wouldn't do something simple like this, but my tests aren't working as I had
hoped.


"Wei-Dong XU [MSFT]" wrote:

> Hi,
>
> For detecting the URL?based attack, we could specify this in the section
> [DenyUrlSequences] of URLScan.INI file. If the string configued in the
> urlscan.ini is found in the URL, 404 will be sent back to the client. So
> for retrieving valid url querystring, you will need to set the limited
> string very carefully. This kb article will introduce more information on
> these for you:
>
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;326444#XSLTH42461
> 21123120121120120
>
> Please feel free to let me know if you have any question. It is my
pleasure
> to be of any assistance.
>
> Best Regards,
> Wei-Dong XU
> Microsoft Product Support Services
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>


Top

Re: urlscan and items after ? by David

David
Tue Jul 19 05:25:13 CDT 2005

http://blogs.msdn.com/david.wang/archive/2005/07/18/Why_URLScan_ignores_querystring_for_DenyUrlSequences.aspx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uYGEX1aiFHA.1232@TK2MSFTNGP15.phx.gbl...
Actually, URLScan intentionally ignores data after the ? (the querystring),
and it is by-design.

This is a pretty frequently asked question, and believe me, what you are
asking to do is NOT as simple as you think. You simply have a hack that only
works for some of the situations that you want to cover.

Yes, there are tools out there that allow you to scan the querystring, and
yes, you can write custom filters yourself, but the general problem of
"scanning querystring data" cannot be solved correctly 100% of the time.
Thus, URLScan does not even pretend to solve it, unlike other tools --
URLScan is a security tool, so when it says it can do something, it must be
100% correct.

I'm writing up a blog entry about this common misconception and will post
the URL link when I finish.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Adam" <adamtuliper@online.nospam> wrote in message
news:57DA0343-9933-4119-AD6C-127DA4B5066F@microsoft.com...
Hmm... Im not sure this works as you described it. I found a posting on the
net someone described that urlscan stops at the "?". My testing shows this.
Its possible I have something misconfigured but I've tried this for ex:

1. http://localhost/b%32ip/something.aspx
2. http://localhost/bip/something.aspx?b%32ip
#1 fails as expected, #2 is completely ignored by urlscan. I have %32 for
ex. configured to deny that sequence.. so it obviously works some of the
time.

So back at square 1. I wrote a filter today to handle it.. but have to think
Im configuring something incorrectly - Id find it hard to believe urlscan
wouldn't do something simple like this, but my tests aren't working as I had
hoped.


"Wei-Dong XU [MSFT]" wrote:

> Hi,
>
> For detecting the URL?based attack, we could specify this in the section
> [DenyUrlSequences] of URLScan.INI file. If the string configued in the
> urlscan.ini is found in the URL, 404 will be sent back to the client. So
> for retrieving valid url querystring, you will need to set the limited
> string very carefully. This kb article will introduce more information on
> these for you:
>
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;326444#XSLTH42461
> 21123120121120120
>
> Please feel free to let me know if you have any question. It is my
pleasure
> to be of any assistance.
>
> Best Regards,
> Wei-Dong XU
> Microsoft Product Support Services
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>



Top