IIS 6 SQL Injection Sanitation ISAPI Wildcard

Discussion in 'Databases' started by cgwp, Oct 9, 2008.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. cgwp

    cgwp

    I am being hit with a sql injection attack that I believe is coming in through BlogEngine 1.4.5 using sql Server as the repository. Looking through their discussions they recommend using the 'IIS 6 SQL Injection Sanitation ISAPI Wildcard' filter to block sql injection attacks.

    1) Does anyone have any experience with the filter?
    2) Is it possible to install this filter on a DASP site?
    3) Does anyone have any other suggestions on how to block SQL Injection in BlogEngine? I know nothing about asp.net, so I haven't got a clue where to even start.

    Any help would be greatly appreciated.

    TIA

    marc
     
    cgwp, Oct 9, 2008
    #1
  2. cgwp

    cgwp

    OK, I understand, and kind of anticipated, DASP's position, although it was my understanding that the ISAPI filters were a common thing with IIS 6 and could be pointed to on a site by site basis.

    I've read the article that you are pointing to, and many others, as I had to rewrite/patch my own site to eliminate attacks (I was getting several thousand attempts per day at one point). Unfortunately, BlogEngine is a package that is easy enough to configure, but that I don't understand well enough to implement the same level of protection that I've put into my own site.

    So I guess I'm down to option 3 ... has anyone in this community put in manual filtering inside of BlogEngine 1.4.5

    Thanks

    marc
     
    cgwp, Oct 9, 2008
    #2
  3. wisemx

    wisemx

    Hi,
    Go here: http://www.dscoduc.com/default.aspx
    Click on BlogEngine.NET, on the Right.
    Contact Chris about any questions you may have, he doesvery extensive work with that.
    Salute,
    Mark
     
    wisemx, Oct 9, 2008
    #3
  4. Bruce

    Bruce DiscountASP.NET Staff

    In general, we do not install 3rd party ISAPI filter because it can potentially crash the whole IIS server.

    Bruce

    DiscountASP.NET
    www.DiscountASP.NET
     
    Bruce, Oct 9, 2008
    #4
  5. raymondp

    raymondp

    Marc
    I searched the Internet for this ISAPI and it looks like it needs to be installed on the web server. I can tell you that we do not install 3rd party components even it is from Microsoft unless we have fully tested it on the development server. Understandably reasons such as stability, security, and standardization reasons.

    What I recommend is setting up validations and make sure that common characters or symbols that are used for SQL injection attacks are not passed to the server. Try reading this link that I found which gives a really good over view on SQL Injection and how to avoid such attacks. You may need to setup an account with them. This is a free membership. I found it to be a good site because it gives alot of information and recommendations on MS SQL.
    http://www.sqlservercentral.com/articles/Security/updatedsqlinjection/2065/

    rcp
    DiscountASP.NET
    www.DiscountASP.NET
     
    raymondp, Oct 9, 2008
    #5
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page