Nazim's IIS Security Blog
All things security ...
Sign In
|
Join
|
Help
Home
RSS
Atom
Comments RSS
Search
Tags
Dynamic IP Restriction
IIS5X
IIS6
IIS7
IPv6
RequestFiltering
SQL injection
UrlScan
Navigation
Home
Get Started
Learn
Downloads
Blogs
Forums
Archives
June 2009 (2)
May 2009 (1)
April 2009 (1)
March 2009 (1)
October 2008 (2)
August 2008 (1)
June 2008 (4)
May 2008 (1)
April 2008 (2)
Recent Posts
0
Comments
Update for WebDAV vulnerability on IIS 5.x and IIS 6
by
naziml
We now have a security update available to address the WebDAV extension vulnerability reported earlier. All customers affected should apply the update even if they have mitigated the issue through a workaround. The background here is that we had...
1
Comments
Update Released for Dynamic IP Restrictions Beta
by
naziml
We had a couple of forum threads that reported an issue in the Beta module for Dynamic IP Restrictions . Since we are doing a significant amount of change for Beta 2, we wanted to unblock customers affected by this issue be releasing a patch. So here...
Tags:
IIS7
Dynamic IP Restriction
1
Comments
WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0
by
naziml
Microsoft has released advisory 971492 about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains...
Tags:
IIS6
IIS7
IIS5X
2
Comments
Token Kidnapping fixed
by
naziml
I had gone into a little detail about explaining token kidnapping in an earlier post . Despite all the difficulties involved in fixing this, MS has released a comprehensive patch that addresses all the issues in MS09-012 . This was a monumental effort...
2
Comments
Script to lock down IIS paths
by
naziml
In IIS 7 we have request filtering available to help with locking down files and directories that you don't want to serve out. This is useful for resources (like configuration) that you want your IIS worker process to have access to, but not serve it...
23
Comments
Script to install UrlScan v3.0 as a site filter.
by
naziml
Although using WIX to create an MSI to do this task is a cleaner approach, it is too heavy duty for me. I do this often enough to warrant creating a script for it, so I though I would share it out. To use it you would run: InstallUrlScanAtSite.js -siteid...
50
Comments
Token Kidnapping in Windows
by
naziml
Microsoft has just release MS09-012 to address this issue in it’s entirety. Get further details here . You have probably heard about the Token Kidnapping vulnerability in Windows and read Microsoft's security advisory on it and are wondering why...
24
Comments
UrlScan v3.0 RTW Released
by
naziml
About 2 months ago we released the beta for UrlScan v3.0 to address customer concerns with automated SQL injection attacks and we have been busy since refining it with the help of our customers, community and MVPs. You can download the bits at the links...
Tags:
UrlScan
IIS6
IIS7
26
Comments
Using the new rules configuration in UrlScan v3.0 Beta (Part 2)
by
naziml
Dissecting the SQL injection sample in the walkthrough I will spend some time dissecting the SQL injection rule posted in the walkthrough for UrlScan. Before I do so, I want to re-iterate the fact that SQL injection is a web application issue, and hence...
Tags:
UrlScan
IIS6
IIS7
15
Comments
UrlScan v3.0 filtering based on Request Entity
by
naziml
While some folks are rejoicing, others are noticing the lack of scanning for the request entity. Why would we do that? The easy answer is that this is just not possible with an ISAPI filter. In IIS 5 and earlier, there is no API that would allow us to...
Tags:
UrlScan
IIS6
IIS7
11
Comments
Using the new rules configuration in UrlScan v3.0 Beta (Part 1)
by
naziml
If you haven't noticed already, UrlScan v3.0 Beta is out and it is the answer to all your prayers. Well maybe not all, but it still is nifty. UrlScan 2.5 is widely used and is quite popular. There were a few minor issues with it that were all fixed for...
Tags:
UrlScan
IIS6
IIS7
14
Comments
Interaction between URL Rewriter and Request Filtering Modules for IIS7
by
naziml
I hope folks have noticed the TP for the URL Rewriter module. Download it and give it a try! Microsoft URL Rewrite Module for IIS 7.0 CTP1 (x86) Microsoft URL Rewrite Module for IIS 7.0 CTP1 (x64) I have been playing around with in my spare time to get...
Tags:
RequestFiltering
IIS7
29
Comments
Using IPv6 with IIS7
by
naziml
Besides the US government and certain Asian countries, IPv6 has not really caught on yet, especially here in the US. So how does IIS7 stack up as far as IPv6 support is concerned? Let's walk through the IIS7 feature set to evaluate this. For comparison...
Tags:
IPv6
IIS7
34
Comments
SQL Injection Demo
by
naziml
SQL injection seems to have faded from prominence lately and has become just a buzz word. To make things a little more real I put together a quick demo for it, to demonstrate that you don't necessarily have to go out of your way to make your web application...
Tags:
SQL injection
1,726
Comments
Filtering SQL injection from Classic ASP
by
naziml
SQL injection may be over a decade old, but even the best of us need a reminder once in a while. You should always validate input to your applications! There isn’t a ‘one size fits all’ solution to sanitizing input, so I will attempt...
More Posts