0

I'm looking at our Windows Server 2012 R2 logs and can see many of these type of warnings/errors

http://example.com/page.aspx?aa4=1&bb3=20999999.1 union select unhex&c=E,1,4rln7NsBMfSHKp1Oxq9pnezDOpERYplN_SU,&typo=1(hex(version())) -- and 1=1

I've truncated it for ease of readability. I've installed IIS URL rewrite and added rules to deny php requests (which was the initial problem) but now they're coming back with SQL attacks. So i tried adding another rule with the Regular Expression ^.*union (i tried other variations too) but non seem to block the above script?

I then added union to the URL section under Request Filtering but this doesnt work either.

Does anyone have a more feasible way to block these type of requests from reaching the server? Unfortunately i cant make any changes to the site in question as its third party.

Computer
  • 111
  • 2

2 Answers2

0

You need to deploy a WAF (Web Application Firewall) in front of the actual server, it can filter all malicious requests out. Cloudflare could also be used to provide such a service in the cloud.

NGINX could also be used, but I have no experience with this. https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/

Nicki
  • 36
  • 3
  • Unfortunately I don't have the option for this type of technology at present but if there is a way to do the same i.e. drop URLs in IIS if it contains union then that would help. – Computer Jul 17 '19 at 10:01
0

Alternatively there is a URLScan ISAPI filter that could assist, docs.microsoft.com/en-us/iis/extensions/working-with-urlscan/…. Have not used it recently but it could potentially help.

Nicki
  • 36
  • 3