Nazim's IIS Security Blog Posts

UrlScan v3.0 RTW Released

About 2 months ago we released the beta for UrlScan v3.0 to address customer concerns with automated SQL injection attacks and we have been busy since refining it with the help of our customers, community and MVPs. You can download the bits at the links...

Using the new rules configuration in UrlScan v3.0 Beta (Part 2)

  Dissecting the SQL injection sample in the walkthrough   I will spend some time dissecting the SQL injection rule posted in the walkthrough for UrlScan. Before I do so, I want to re-iterate the fact that SQL injection is a web application...

UrlScan v3.0 filtering based on Request Entity

  While some folks are rejoicing, others are noticing the lack of scanning for the request entity. Why would we do that? The easy answer is that this is just not possible with an ISAPI filter. In IIS 5 and earlier, there is no API that would allow...

Using the new rules configuration in UrlScan v3.0 Beta (Part 1)

  If you haven't noticed already, UrlScan v3.0 Beta is out and it is the answer to all your prayers. Well maybe not all, but it still is nifty. UrlScan 2.5 is widely used and is quite popular. There were a few minor issues with it that were all fixed...

Interaction between URL Rewriter and Request Filtering Modules for IIS7

  I hope folks have noticed the TP for the URL Rewriter module. Download it and give it a try! Microsoft URL Rewrite Module for IIS 7.0 CTP1 (x86) Microsoft URL Rewrite Module for IIS 7.0 CTP1 (x64) I have been playing around with in my spare time...

Using IPv6 with IIS7

Besides the US government and certain Asian countries, IPv6 has not really caught on yet, especially here in the US. So how does IIS7 stack up as far as IPv6 support is concerned? Let's walk through the IIS7 feature set to evaluate this. For comparison...

SQL Injection Demo

SQL injection seems to have faded from prominence lately and has become just a buzz word. To make things a little more real I put together a quick demo for it, to demonstrate that you don't necessarily have to go out of your way to make your web application...

Filtering SQL injection from Classic ASP

SQL injection may be over a decade old, but even the best of us need a reminder once in a while. You should always validate input to your applications! There isn’t a ‘one size fits all’ solution to sanitizing input, so I will attempt...

About Me

I am the Security Engineer for the IIS team.

My Tags

No tags have been created or used yet.

Browse All Tags

My Archive

Page view counter