URLScan Help

Forum Moderators: open

Message Too Old, No Replies

URLScan Help

aspdaddy

12:59 pm on Feb 26, 2011 (gmt 0)

Does anyone know how to set a rule to apply only to the stuff after the ? - querystring not url.

There is a particular refelcted xss attack thats making my visitors with old browsers think they are on another site by circulating links with a script tag in the url that places a competitor logo over my logo using css.

I just want to add a rule to put the word script after the '?' character

Ocean10000

4:12 pm on Feb 26, 2011 (gmt 0)

Creating a Deny List of Query String Sequences

[Options]
UnescapeQueryString=1
[DenyQueryStringSequences]
<
>

This should block script tags in the url in both un-escaped and escaped forms and block them.

As it blocks the angle brackets from being allowed in the url string.

Reference
Common UrlScan Scenarios [learn.iis.net]

aspdaddy

5:54 pm on Mar 15, 2011 (gmt 0)

Are you good with this tool, if so sticky me pls.

Ocean10000

7:03 pm on Mar 15, 2011 (gmt 0)

What type of problems are you trying to handle with the URLScan tool? Did the previous post not help or work? Maybe question can be answered here in public and the answers posted can help others in your situation.

aspdaddy

1:52 pm on Mar 18, 2011 (gmt 0)

I'm just trying to understand it at high level to apply some rules to different sites and apps.

I have a various sites that allow uploads and access to uploaded files and dont have to hand all the different urls used so am reactively adding exceptions as and when the logs show me.

Ideally I want to whitelist these urls from just the denied query strings, not the denied urls

aspdaddy

2:50 pm on Mar 21, 2011 (gmt 0)

What does the DenyDataSection do ? Does it overrule DenyURLSequenecs and DenyQuerStrings or apply in addition

Does 404 apply before or after URL Scan rules?

If Denied extentions includes .exe and AppliesTo only includes .aspx , will .exe files be blocked

When do rule and option changes take effect ?

Ocean10000

12:25 am on Mar 22, 2011 (gmt 0)

After doing a bit of research "DenyDataSection" is a way to reuse rulesets in the ini file.

link [learn.iis.net]


[Options]
RuleList=MyAspRule,MyPhpRule

[MyAspRule]
AppliesTo=.asp, .aspx
DenyDataSection=MyRuleData
ScanURL=0
ScanAllRaw=1
ScanQueryString=1
ScanHeaders=
DenyUnescapedPercent=1

[MyPhpRule]
AppliesTo=.php
DenyDataSection=MyRuleData
ScanURL=1
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=
DenyUnescapedPercent=1

[MyRuleData]
< ; Used by script injection attacks.
> ; Used by script injection attacks.
@ ; Used by script injection attacks.

Ocean10000

2:09 am on Mar 22, 2011 (gmt 0)

Does 404 apply before or after URL Scan rules?

404 are applied after the URLScan is run.

Ocean10000

3:56 am on Mar 22, 2011 (gmt 0)

Does it overrule DenyURLSequenecs and DenyQuerStrings or apply in addition

I can't find any info on this. But my guess it is in addition to the existing rules.

aspdaddy

4:23 pm on Mar 22, 2011 (gmt 0)

Thanks

I cant get that common data to work, its not clear whether it applies to URL, Querystring, VERB, Form Data etc.

There doesnt seem much in the wa of documentation, do you know if its been superceeded by another tool ?

Ocean10000

4:53 pm on Mar 22, 2011 (gmt 0)

The common data only will work with the latest version 3.51 I believe of URLscan. If you have a previous version it will not work. Also Changes to the ini are only refresh after restarting IIS completely.

Microsoft is pushing "Request Filtering" in IIS 7. I don't see any options for this to work in versions previous to this though.
Request Filtering [iis.net]

aspdaddy

8:48 pm on Mar 22, 2011 (gmt 0)

That looks much better, but for my 2003 Servers Ill have to stick with URLScan for now.

URLScan Help

aspdaddy

Ocean10000

aspdaddy

Ocean10000

aspdaddy

aspdaddy

Ocean10000

Ocean10000

Ocean10000

aspdaddy

Ocean10000

aspdaddy

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week