I'm wondering if it is possible to block SQL Injection Attacks on an ASP.Net login form using IIS Request Filtering?
Basically we have a legacy ASP.Net application that we don't have all the source code to, and it has been detected through a penetration test that it is vulnerable to Injection Attacks.
I've already put in place the following Request Filtering Rule to block injection attacks from query strings, but I'm still trying to figure out how to block this type of attack from the text fields on the login page.
<requestFiltering>
<filteringRules>
<filteringRule name="SQLInjectionQuery" scanUrl="false" scanQueryString="true">
<appliesTo>
<clear />
<add fileExtension=".aspx" />
</appliesTo>
<denyStrings>
<clear />
<add string="--" />
<add string=";" />
<add string="/*" />
<add string="@" />
<add string="char" />
<add string="alter" />
<add string="begin" />
<add string="cast" />
<add string="create" />
<add string="cursor" />
<add string="declare" />
<add string="delete" />
<add string="drop" />
<add string="end" />
<add string="exec" />
<add string="fetch" />
<add string="insert" />
<add string="kill" />
<add string="open" />
<add string="select" />
<add string="sys" />
<add string="table" />
<add string="update" />
<add string="waitfor" />
<add string="delay" />
</denyStrings>
<scanHeaders>
<clear />
</scanHeaders>
</filteringRule>
</filteringRules>
</requestFiltering>
I tried adding scanAllRaw="true" to the filteringRule element, but it didn't give the desired result. I was still able to run a username' WAITFOR DELAY '0:0:10'-- attack to detect the vulnerability.
I know that the best way to fix this is through the code, but much of the bad code is packaged into a dll that we don't have the source code to, so at the moment I'm trying to find an alternate way to fix this.
Any suggestion are appreciated
