Punk Rock CTO

In this post I will walk you through the process of creating a URL rewrite rule to help curb SQL Injection attacks. While this is not the end all be all in preventing a SQL injection attack, it is a good first step. In addition to this I strongly suggest having a third party security team scan your website for potential vulnerabilities.

The following rules will rewrite a request for any of the typical SQL injection attacks to /404.html or whatever file you would like. You can add or remove from the rules as you see fit. With the large quantity of rules it is much easier to simply update your web.config with the code below. Whenever editing your Web.config make sure to create a backup first.

<system.webServer>
<rewrite>
<rules>
<rule name="SQL Injection - EXEC" stopProcessing="true">
<match url="^.*EXEC\(@.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - CAST" stopProcessing="true">
<match url="^.*CAST\(.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - DECLARE" stopProcessing="true">
<match url="^.*DECLARE.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - DECLARE%20" stopProcessing="true">
<match url="^.*DECLARE%20.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - NVARCHAR" stopProcessing="true">
<match url="^.*NVARCHAR.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - sp_password" stopProcessing="true">
<match url="^.*sp_password.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - xp" stopProcessing="true">
<match url="^.*%20xp_.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</rules>
</rewrite>
</system.webServer>


After you upload the new web.config you can verify it by connecting to your site with the Remote IIS Management tool. If you have not installed this tool yet, download the IIS Remote Administration Tool for IIS 7.0 from IIS.net and install it. Once installed, connect to your site using your site by specifying your fully-qualified domain name (MyDomain.com) as the server name, and your site  (MySite) as the site name.  

Once connected click the URL Rewrite module. It should look something like this.

IIS 7, URL Rewrite url rewrite, iis 7

In this post I will walk you through the process of creating a URL rewrite rule to prevent Image Hotlinking. Image Hotlinking, also known as leeching, is the use of an image from one site into a web page belonging to a second site. Unauthorized image hotlinking from your site increases bandwidth use, even though the site is not being viewed as intended. There are other concerns with image hotlinking, for example copyrights or usage of images in an inappropriate context.

An example of this would be if I was hosting an image on my site www.Jelly.com, and someone outside my network tried to display it in their site.

 

Rather than strangers eating all my bandwidth up, with URL Rewrite I can replace any requested images with a place holder like the one below.

 

First you will need to connect to your site with the Remote IIS Management tool. If you have not installed this tool yet, download the IIS Remote Administration Tool for IIS 7.0 from IIS.net and install it. Once installed, connect to your site using your site by specifying your fully-qualified domain name (MyDomain.com) as the server name, and your site id (My Site) as the site name. Then use your control panel username and password to connect. 

Create URL Rewrite Rule
1. Click the URL Rewrite module.
2. Add Rules
3. Blank Rule
4. Name = Prevent image Hotlinking (Or whatever friendly name you would like)
5. Pattern = .*\.(gif|jpg|png)$
6. Add Condition
a. Condition Input = {HTTP_REFERER}
b. Input String = Does not Match the Pattern
c. Pattern = ^$
7. Add a second Condition
a. Condition Input = {HTTP_REFERER}
b. Input String = Does not Match the Pattern
c. Pattern = http://www.jelly.com/.*   (Replace www.jelly.com with your domain)
8. Action Type = Rewrite
9. Rewrite URL = /images/hotlinking.jpg    (Replace hotlinking.jpg with whatever image you would like to show)
10. Click Apply
10. Click Back to Rules

This rule will rewrite a request for any image file to /images/hotlinking.jpg only if the HTTP Referer header on the request is not empty and is not equal to the site’s domain. 

If you don't want to go through all those steps above through the GUI, you can include the following code in your web.config

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Prevent image hotlinking" enabled="true" stopProcessing="true">
  <match url=".*\.(gif|jpg|png)$" />
  <conditions>
                        <add input="{HTTP_REFERER}" negate="true" pattern="^$" />
                        <add input="{HTTP_REFERER}" negate="true" pattern="http://www.YourDomain.com/.*" />
  </conditions>
  <action type="Rewrite" url="/images/hotlinking.jpg" />
</rule>
            </rules>
        </rewrite>
    </system.webServer>

IIS 7, URL Rewrite url rewrite, hotlinking, leeching, iis 7

The Microsoft URL Rewrite Module for IIS 7.0 provides a flexible rules-based rewrite engine that can be used to perform broad spectrum of URL manipulation tasks, including, but not limited to:

Enabling user friendly and search engine friendly URL with dynamic web applications;
Rewriting URL’s based on HTTP headers and server variables;
Web site content handling;
Controlling access to web site content based on URL segments or request metadata;

In this KB I will walk you through the steps to route multiple domains to subfolders in your site. An example of this would be if you are hosting www.Peanutbutter.com and www.Jelly.com on the same website.

 

With URL Rewrite you can create rules to direct traffic to subfolders based on the URL.

 

In IIS7.5 (and also applicable to IIS7) you will first need to install the URL Rewrite Module. The download can be obtained from www.iis.net/extensions. Once you have done that you will now see a new Icon in IIS.

 

 

Create URL Rewrite Rule

1.       Click the URL Rewrite module.

2.       Add Rules

3.       Blank Rule

4.       Name = Virtual Director (Or whatever friendly name you would like)

5.       Pattern = .*

6.       Add Condition

a.       Condition Input = {MyDomains:{HTTP_HOST}}

b.      Input String = Matches the Pattern

c.       Pattern = (.+)

7.       Action Type = Rewrite

8.       Rewrite URL = {C:1}{REQUEST_URI}

9.       Click Apply

10.   Click Back to Rules

 

 

 

 

Create Domain Routes

1.       Click View Rewrite Maps

2.       Click Add Rewrite Map

3.       Rewrite map name = MyDomains

4.       Click Add Mapping Entry

5.       Original Value = Domain you want to route (i.e. Jelly.com)

6.       New Value = Folder you would like traffic routed to (i.e. Jelly)

7.       Repeat steps for any third level domains you also want to route (i.e. www.Jelly.com)

 

 

 

 

Now while both Jelly.com and Peanutbutter.com are both bound to the same site, traffic for Jelly.com gets routed to one folder down. If you look in the address bar it masks the folder /Jelly

 

 

 

You can do this for as many domains as you would like. Domains not listed in the Rewrite Maps will continue to load their pages from the root of your site.

 

 

If you wouldn't want to go through all those steps through the GUI you can include the following code in your web.config

 

 <system.webServer>

        <rewrite>

            <rules>

                <rule name="Virtual Director" enabled="true" stopProcessing="false">

                    <match url=".*" />

                    <conditions>

                        <add input="{MyDomains:{HTTP_HOST}}" pattern="(.+)" />

                    </conditions>

                    <action type="Rewrite" url="{C:1}{REQUEST_URI}" />

                </rule>

            </rules>

            <rewriteMaps>

                <rewriteMap name="MyDomains">

                    <add key="Jelly.com" value="/Jelly" />

                    <add key="www.Jelly.com" value="/Jelly" />

                </rewriteMap>

            </rewriteMaps>

        </rewrite>

  </system.webServer>

IIS 7, URL Rewrite url rewrite, iis 7