URLScan 3.1 Released


About a week ago, the IIS Team released an updated version 3.1 of the URLScan tool. If you are running ver. 3.0, it’s recommended that you upgrade to URLScan 3.1.

URLScan is the tool to protect your websites against SQL Injection Attacks, the new version is updated to handle new variation of attacks.

Our internal security team brought it to our attention that they’d seen a new variation on the attacks.  This new variation is trying to exploit a behavior in ASP’s parsing of the query string for the Request.QueryString function.

UrlScan version 3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) 6.0 will process. UrlScan screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed.

The UrlScan version 3.1 security tool gives administrators even greater control over UrlScan configuration, providing functionality that helps administrators further secure and lock down the server.

New features

  • New installer that allows URLScan 3.1 to be installed on IIS 5.1 or later, including IIS 7.
  • Deny rules that can be independently applied to URL, query string, all headers, a particular header or a combination of these.
  • A global DenyQueryString section that lets you add deny rules for query strings with the option of checking un-escaped version of the query string as well.
  • Support for escape sequences in the deny rules so it’s possible to deny CRLF and other non-printable characters in configuration.
  • Multiple urlscan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).
  • Configuration (urlscan.ini) change notifications that are propagated to worker processes without having to recycle them. Note that log settings still have to be recycled.