SQL injection attacks are becoming more and more of an issue. The trouble is, some companies may have old systems vulnerable to injection attacks and to apply fixes to that code to ensure its security may take weeks of development.

How do you create a safe guard stop gap between those weeks of development? - URL Scan for IIS seems to do the trick.

Safe guard allows you to apply rules to your IIS server that you previously couldn’t.  For example if you were to write a simple rule to stop SQL injection attacks it might look something like this…

[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=

[SQL Injection Strings]

%3b ; a semicolon
/*
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
create
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
insert
kill
open
select
sys ; also catches sysobjects and syscolumns
table
update

You can write many custom rules for URL Scan, but it is a definite tool to research if your administrating large farms of websites.