question

mohsenMJ-8783 avatar image
0 Votes"
mohsenMJ-8783 asked BruceZhang-MSFT answered

How to prevent SQL Injection attacks by the Request Filtering?

Hello,
I want to block SQL Injection attacks by the Request Filtering and I found the https://blogs.iis.net/peterviola/blocking-sql-injection-with-iis-request-filtering website. How can I have a list of below names?

131841-image-thumb1.png




Thank you.

windows-server-iis-security
image-thumb1.png (38.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered

Hi @mohsenMJ-8783 ,

You can manually add rules in IIS Manager according to the rules on the image.

  • Click Rule section in Request Filtering module.

  • Click Add Filtering Rule... on the right.

  • Enter rule like below image:

  • List item

However, the rules on the image are incomplete, you may miss some part of them. In Microsoft document, it has shown a complete list of filters to prevent SQL injection. The list is not the same as the one in the image, but it is just as effective. You can copy it to web.config or applicationhost.config file.

 <requestFiltering>
    <filteringRules>
       <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">
          <appliesTo>
             <clear />
             <add fileExtension=".asp" />
             <add fileExtension=".aspx" />
             <add fileExtension=".php" />
          </appliesTo>
          <denyStrings>
             <clear />
             <add string="--" />
             <add string=";" />
             <add string="/*" />
             <add string="@" />
             <add string="char" />
             <add string="alter" />
             <add string="begin" />
             <add string="cast" />
             <add string="create" />
             <add string="cursor" />
             <add string="declare" />
             <add string="delete" />
             <add string="drop" />
             <add string="end" />
             <add string="exec" />
             <add string="fetch" />
             <add string="insert" />
             <add string="kill" />
             <add string="open" />
             <add string="select" />
             <add string="sys" />
             <add string="table" />
             <add string="update" />
          </denyStrings>
          <scanHeaders>
             <clear />
          </scanHeaders>
       </filteringRule>
    </filteringRules>
 </requestFiltering>



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.


Best regards,
Bruce Zhang


3.jpg (89.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.