User1065476709 posted
Hi Gmajor,
I am currently working on resolving a Blind SQL vulnerability found on an IIS server hosting a web application
You can block SQL Injection with IIS Request Filtering.
Configuring the Request Filter
To create a global filtering rule for SQL Injection:
- Open the applicationhost.config file in the following path:
%systemroot%\system32\inetsrv\config\applicationhost.config
- Search the applicationhost.config file for "<requestFiltering>" (without the quotes.)
- Immediately under the <requestFiltering> tag, paste the following settings:
<filteringRules>
<filteringRule name="SQLInjection" scanQueryString="true">
<appliesTo>
<add fileExtension=".asp" />
<add fileExtension=".aspx" />
</appliesTo>
<denyStrings>
<add string="--" />
<add string=";" />
<add string="/*" />
<add string="@" />
<add string="char" />
<add string="alter" />
<add string="begin" />
<add string="cast" />
<add string="create" />
<add string="cursor" />
<add string="declare" />
<add string="delete" />
<add string="drop" />
<add string="end" />
<add string="exec" />
<add string="fetch" />
<add string="insert" />
<add string="kill" />
<add string="open" />
<add string="select" />
<add string="sys" />
<add string="table" />
<add string="update" />
</denyStrings>
</filteringRule>
</filteringRules>
- Save the changes to applicationhost.config.
Best regards,
Sam
