Small business protection for ASP.NET websites

Are you being attacked? Find out.

Free Notifications Forever!

INSTALLATION

SQL Injection Shield™ can be installed and uninstalled very quickly, easily, and safely. There are two simple steps:

  • Upload the unzipped folders to the root of your website.
  • Enable attack monitoring by adding three entries to your web.config file.

Unzip and Upload Files

The following folders and files will be extracted from the downloaded zip file:

Simply upload the unzipped folders to the root of your website. Don't worry, nothing on your website will be overwritten.

Enable SQL Injection Shield via your web.config file:

To enable attack monitoring, the specific web.config entry depends upon which IIS Managed Pipeline Mode is enabled on your website. Click an option below for the appropriate instructions.

In IIS 7 and beyond, each application pool uses one of two .NET integration modes for running ASP.NET applications: "Integrated" or "Classic".

Integrated mode allows ASP.NET modules to participate in IIS request processing, regardless of the type of resource requested.

With classic mode (IIS 6), requests are initially processed through IIS modules, and then ASP.NET requests are separately processed via the aspnet_isapi.dll.

Classic Pipeline

Add the highlighted entry to the configuration/system.web/httpModules section of your web.config file, as illustrated in the snapshot below. If your web.config file doesn't have an <httpModules> section within <system.web>, then add it along with the highlighted portion.

<configuration>
    <system.web>
        <httpModules>
            <add name="Westination.SQLInjectionShield" type="Westination.Web.SQLInjectionShield"/>
        </httpModules>
    </system.web>
</configuration>
                                    

Integrated Pipeline

Add the highlighted entry to the configuration/system.webServer/modules section of your web.config file, as illustrated in the snapshot below. If your web.config file doesn't have a <modules> section within <system.webServer>, then add it along with the highlighted portion.

<configuration>
    <system.webServer>
        <modules>
            <add name="Westination.SQLInjectionShield" type="Westination.Web.SQLInjectionShield" preCondition="integratedMode,managedHandler"/>
        </modules>
    </system.webServer>
</configuration>
                                    

I Don't know or I'm Unsure

After uploading the unzipped folders to the root of your website, navigate to:

http://your-website/Westination/SqlInjectionShield/LicenseInfo.aspx

The resulting webpage, hosted on your website, will tell you which managed pipeline mode your website is using. It has a Configuration Guide that is tailored to your website, so you can continue the installation process from there, confident that you have made the correct configuration selection.

How to Toggle On & Off

Commenting out or removing the highlighted element within the <httpModules> or <modules> section (as defined in your above choice), disables attack monitoring. In this fashion, you can quickly toggle between enabled and disabled states, without having to remove the uploaded files or having to modify any other web.config entries.

How Do I know It's Working?

The only way to know for sure is to attack yourself. Append the following query string to the end of a page link on your website.

?test=1 or null is null

Example: http://your-website/default.aspx?test=1 or null is null

If installed correctly, you should see a corresponding "FailureAudit.html" event file within the ./Westination/SQLInjectionShield/EventLog/ folder. If you enabled email notifications (next tab), then you should receive a corresponding email alert as well.

In case you're wondering, the term "FailureAudit" means that the request failed the safety audit.

Attack events are logged to the ./Westination/SQLInjectionShield/EventLog/ folder.

SQL Injection Shield™ will also send reports, via email, to the recipient(s) defined in the configuration/appSettings section highlighted below. In order to receive attack notification emails, it is important that your outgoing mail server is correctly defined within the system.net/mailSettings section, as illustrated below.

To enable email notifications, add the following highlighted entries to your web.config file.

<configuration>
    <appSettings>
            <add key="Westination.SQLInjectionShield.Email.Recipients" value="email@your-domain;next.email@your-domain"/>
    </appSettings>
    <system.net>
        <mailSettings>
            <!-- smtp from = the address that will appear as the sender of the email. -->
            <smtp from="automation@westination.com">
                <!-- network host = your outgoing SMTP mail server. -->
                <network host="your-mail-server" port="25" userName="" password=""/>
            </smtp>
        </mailSettings>
    </system.net>
</configuration>
                                    

Troubleshooting:

If you're not receiving emails, then check the EventLog folder. If the event is logged there, then there is a problem with the email settings defined above.

1.Does the specified mail server allow sending from your website?
2.Is the specified port correct?
3.Is the specified username and password correct?
4.If your web server is also your mail server, then try specifying 127.0.0.1 as your host.
5.Did you check your spam folder?

By default, SQL Injection Shield™ monitors all the standard ASP.Net page types that receive and process input (.aspx .ashx .asmx, etc.) However, there may be cases when one would want to either extend or override the default monitoring. For example:

What if you have a custom page handler installed on your website that accepts input from non-standard pages, and you want SQL Injection Shield™ to monitor those as well?

Or, what if you need to exclude a page or folder from being monitored for some reason? E.g. you have a secure webpage that allows privileged employees to execute ad-hoc SQL queries to your database.

The web.config entries, illustrated below, are based on the following example scenarios.

1.You have installed a custom page handler that enables your website to respond to requests for pages with a .custom extension, and you want SQL Injection Shield™ to monitor and protect your .custom pages.
2.You have a secure folder on your website, named http://your-website/secure/ad-hoc/, which allows privileged employees to execute ad-hoc SQL queries to your database, and you want to disable monitoring on pages within that folder.
<configuration>
    <appSettings>
            <add key="Westination.SQLInjectionShield.PageProtection.Additions" value="*.custom"/>
            <add key="Westination.SQLInjectionShield.PageProtection.Exclusions" value="/secure/ad-hoc/*"/>
    </appSettings>
</configuration>
                            

The * character is a wildcard symbol, therefore the extensions .custom1 and .custom2 can be represented by a single *.custom* entry.

If you have multiple additions or exclusions, separate them with the | character. For example: *.abc|*.xyz

A fully functional FREE notification-only license is automatically activated upon successful installation. If you receive an attack notification, or otherwise decide that you want to begin blocking attacks, simply purchase one or more Shield licenses.

Once you have purchased one or more Shields, navigate to http://your-website/Westination/SqlInjectionShield/LicenseInfo.aspx to activate your shield and immediately begin blocking the attacks.

You will need the email address and password, which you used during checkout, to authenticate and activate the shield on your website.