UrlScan 3.0 Aims To Block SQL Injection Attacks

Microsoft has released an improved security filter for its Internet Information Services (IIS) Web server that is designed to help thwart SQL injection attacks. The free application, called UrlScan 3.0 (Release-to-Web version), is an add-on tool to IIS that provides real-time verification of HTTP server requests, potentially blocking malicious code.

SQL injection attacks have become worldwide problem in the last eight months or so. They affect Web sites built using Microsoft's widespread ASP or ASP.NET code, or code enabling dynamic Web sites.

In June, Microsoft issued Security Advisory 954462, explaining that the SQL injection attack problem did not lie with SQL Server per se. Rather, poor security practices in Web applications are to blame, company officials explained.

A SQL injection attack is a direct attack on SQL Server by means of malicious code in a query string, which is passed to SQL Server through an Internet application. If the right safeguards are not in place, the code could be executed by Microsoft SQL Server, causing havoc on the Web site's back end.

UrlScan has been available for about five years, but Microsoft added some new features in Version 3.0. Perhaps the most important improvement is that UrlScan 3.0 provides support for query string scanning.

For technical reasons, previous versions of UrlScan did not examine the query string in the server request. Instead, UrlScan Version 2.5 blocked server requests based on aspects such as URL string length, according to Wade Hilmo, Microsoft's senior development lead on the IIS product team, the team that wrote UrlScan.

"In [UrlScan] 3.0, we added the ability to do filtering based on the query string, in addition to the URL," Hilmo said. "We also added the ability to create more granular rules that can be targeted to specific types of requests. For example, you can write a rule that only applies to ASP pages or PHP pages, which is something you would never be able to do in UrlScan 2.5."

Another improvement for developers is the ability to specify a safe list of URLs and query strings that can bypass UrlScan checks. In addition, Version 3.0 uses W3C-formatted logs for ease of analysis.

Version 3.0 of UrlScan is compatible with the configuration files administrators used with Version 2.5, so those settings are retained on an upgrade to a production server. Microsoft also added support for 64-bit IIS processes with this version.

Those using Microsoft's latest Web server, IIS 7.0, already have UrlScan 2.5 features built into a component of IIS called the Request Filter, Hilmo said. Microsoft plans to update IIS 7 in the future to add the new features in UrlScan 3.0 to IIS 7.0, according to Hilmo's blog.

UrlScan 3.0 is by no means a Web security cure all. Hilmo described it as a "stopgap measure" that can be used to protect the server. Security ultimately needs to be enforced in the Web application itself.

"Really the application running on the server is the only piece of code that actually knows what the SQL query is intended to do," Hilmo explained. "So the fix for the root cause is for application developers to go in and do the validation and make sure that the SQL data that they are sending to the SQL Server is what they intend."

He pointed people to Microsoft's articles on best practices for Web application development to learn how to guard against attacks.

A couple of resources are available on the Microsoft Developer Network Web site:

For a relatively short list of blog resources on preventing SQL injection problems, go here.

UrlScan 3.0 is available in 32-bit (x86) and 64-bit (x64) versions.

About the Author

Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.

Featured

  • minimalist digital network with glowing interconnected lines and nodes

    Integration Brings Cerebras Inference Capabilities to Hugging Face Hub

    AI hardware company Cerebras has teamed up with Hugging Face, the open source platform and community for machine learning, to integrate its inference capabilities into the Hugging Face Hub.

  • Abstract geometric shapes including hexagons, circles, and triangles in blue, silver, and white

    Google Launches Its Most Advanced AI Model Yet

    Google has introduced Gemini 2.5 Pro Experimental, a new artificial intelligence model designed to reason through problems before delivering answers, a shift that marks a major leap in AI capability, according to the company.

  • illustration of a futuristic building labeled "AI & Innovation," featuring circuit board patterns and an AI brain motif, surrounded by geometric trees and a simplified sky

    Cal Poly Pomona Launches AI and Innovation Center

    In an effort to advance AI innovation, foster community engagement, and prepare students for careers in STEM fields and business, California State Polytechnic University, Pomona has teamed up with AI, cloud, and advisory services provider Avanade to launch a new Avanade AI & Innovation Center.

  • chart with ascending bars and two silhouetted figures observing it, set against a light background with blue and purple tones

    Report: Enterprises Embracing Agentic AI

    According to research by SnapLogic, 50% of enterprises are already deploying AI agents, and another 32% plan to do so within the next 12 months..