Share via

How to prevent SQL Injection attacks by the Request Filtering?

WindowsGeek 21 Reputation points
2021-09-14T06:34:30.363+00:00

Hello,
I want to block SQL Injection attacks by the Request Filtering and I found the https://blogs.iis.net/peterviola/blocking-sql-injection-with-iis-request-filtering website. How can I have a list of below names?

131841-image-thumb1.png

Thank you.

Windows development Internet Information Services
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce Zhang-MSFT 3,771 Reputation points
    2021-09-15T03:06:35.707+00:00

    Hi @WindowsGeek ,

    You can manually add rules in IIS Manager according to the rules on the image.

    • Click Rule section in Request Filtering module.
    • Click Add Filtering Rule... on the right.
    • Enter rule like below image:
    • List item

    However, the rules on the image are incomplete, you may miss some part of them. In Microsoft document, it has shown a complete list of filters to prevent SQL injection. The list is not the same as the one in the image, but it is just as effective. You can copy it to web.config or applicationhost.config file. 

    <requestFiltering>  
   <filteringRules>  
      <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">  
         <appliesTo>  
            <clear />  
            <add fileExtension=".asp" />  
            <add fileExtension=".aspx" />  
            <add fileExtension=".php" />  
         </appliesTo>  
         <denyStrings>  
            <clear />  
            <add string="--" />  
            <add string=";" />  
            <add string="/*" />  
            <add string="@" />  
            <add string="char" />  
            <add string="alter" />  
            <add string="begin" />  
            <add string="cast" />  
            <add string="create" />  
            <add string="cursor" />  
            <add string="declare" />  
            <add string="delete" />  
            <add string="drop" />  
            <add string="end" />  
            <add string="exec" />  
            <add string="fetch" />  
            <add string="insert" />  
            <add string="kill" />  
            <add string="open" />  
            <add string="select" />  
            <add string="sys" />  
            <add string="table" />  
            <add string="update" />  
         </denyStrings>  
         <scanHeaders>  
            <clear />  
         </scanHeaders>  
      </filteringRule>  
   </filteringRules>  
</requestFiltering>

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments
  2. WindowsGeek 21 Reputation points
    2021-09-26T07:09:04.207+00:00

    Hello,
    Thank you for your useful information.
    1- In the IIS manager, I navigated to the Request Filtering and then clicked on the "URL" tab and selected "Deny Sequence" and entered above names. Is this method wrong?
    2- How can I find a list of those rules?

  3. WindowsGeek 21 Reputation points
    2021-09-28T05:58:57.38+00:00

    Hi,
    Thank you so much for your reply.
    1- If I added them to the URL tab, then what is the problem?
    2- How can I test it?

    Thank you.

  4. WindowsGeek 21 Reputation points
    2021-10-10T12:28:17.733+00:00

    Hello,
    Can I add following characters to the "Deny Strings" section? 

    '-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

    Thank you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.