SQL Injections
With the rise of SQL injection attacks recently we’ve started taking a look at ways to prevent them on the server level. We host a lot of sites that we did not create or maintain. A lot of our customers look to us when issues like this arise.
These attacks mask their payloads in HEX using the CAST() function in SQL. In the IIS logs you see something like this.
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300...%20AS%20NVARCHAR(4000));EXEC(@S);
After thinking about the problem we found a pretty simple solution, that so far, has worked well. We needed a way to intercept the URLs that pass in the hex code so we could deny access to the page. IIS lacks a simple URL rewrite engine like apache’s mod_rewrite, so we had to look for a 3rd party tool.
We found a solution in Helicon Tech’s ISAPI Rewrite. This is a comercial product that comes with a free Lite version. The lite version doesn’t allow for per site rules, but in this case you probably want to protect all the sites with one global rule. There are some other very useful things ISAPI_Rewrite can do (SSL redirects for one) and the paid version is well worth the $99.
Once ISAPI_Rewrite is installed you can simply add this rule to the configuration. This rule blocks anything in the URL that contains a CAST( or EXEC( function. These should never show up in a HTTP GET.
RewriteCond %{QUERY_STRING} (exec.*\()|(cast.*\() [NC]
RewriteRule .? - [F,L]
When a request matches this rule IIS returns a 403 Forbidden error back to the user/client. Note this rule will not protect against SQL injections that use the HTTP POST method (Forms). These require proper validation in the code.