UrlScan is a free security tool available for download from Microsoft designed to bulletproof websites developed and running on top of Windows server operating systems and Internet Information Services. Delivered in order to filter SQL injection attacks, UrlScan is now at version 3.1, less than three months following the introduction of UrlScan 3.0 RTW. In fact, v3.0 was offered specifically to deal with the increasing wave of SQL injection attacks; however, at the same time, it managed to backfire. Microsoft's Wade Hilmo indicated that the UrlScan 3.0 filtering caused attackers to diversify and adapt their techniques.

“Very recently, our internal security team brought it to our attention that they'd seen a new variation on the attacks. This new variation is trying to exploit a behavior in ASP's parsing of the query string for the Request.QueryString function. Note that ASP.NET's behavior in this area is different and ASP.NET applications are not vulnerable to this specific new technique,” Hilmo explained. “The specific behavior in ASP results when the query string contains a name/value pair where the value contains a '%' sign that has not been escape encoded.”

In this context, version 3.1 of UrlScan brings an extension to the restricted HTTP requests that are processed by IIS. Via UrlScan 3.1, website administrators now have the possibility to block unescaped '%' signs in a request form being processed by web applications running on the server. According to Hilmo, query strings, headers (be it in a header name or value) can now benefit from the filtering enhancements introduced with the new feature of UrlScan 3.1.

“It was possible for certain escape sequences to get past filtering rules. This has been fixed. Certain query string rules did not work properly on IIS 5.1. This has been fixed. The behavior of the [ AlwaysAllowedUrls ] section has been changed. In UrlScan 3.0, any URLs listed in that section were not subject to filtering of anything that applied specifically to the URL. Effective with UrlScan 3.1, any URLs in that section are not subject to any UrlScan rules. This means that adding a URL to this section will prevent query string or other rules from blocking the URL,” Hilmo added.

UrlScan 3.1 is available for download here.