Microsoft developed this tool specifically to deal with the increased number of SQL Injection attacks towards websites hosted on Windows server platforms. While the 3.0 version of Urlscan managed to deal with the SQL injection attacks, it also allowed attackers to diversify and it become a threat to the administrators, by backfiring.
“Very recently, our internal security team brought it to our attention that they’d seen a new variation on the attacks. This new variation is trying to exploit a behavior in ASP’s parsing of the query string for the Request. QueryString function. Note that ASP.NET’s behavior in this area is different and ASP.NET applications are not vulnerable to this specific new technique,” Microsoft’s Wade Hilmo explained.
However, Urlscan 3.1 was brought on the table, bringing improved filter enchancements and security. Administrators have now the possibility, via Urlscan, to block unescaped ‘ % ‘ signs in a request form being processed by web applications running on the server.
Wade Hilmo added that “it was possible for certain escape sequences to get past filtering rules. This has been fixed. Certain query string rules did not work properly on IIS 5.1. This has been fixed. The behavior of the [ AlwaysAllowedUrls ] section has been changed. In UrlScan 3.0, any URLs listed in that section were not subject to filtering of anything that applied specifically to the URL. Effective with UrlScan 3.1, any URLs in that section are not subject to any UrlScan rules. This means that adding a URL to this section will prevent query string or other rules from blocking the URL.”
You can protect your server and download Urlscan from our archive.