IIRF: A decent URL rewriter ISAPI filter

May 27 2008

IT's been a long time since my last security-related post, but from time to time I'm assigned small tasks related to it. Last one, just finished today, was doing some research and proof of concepts about ISAPI filters for a spanish company, to harden their servers and protect them from XSS and SQL Injection.

One of my colleages and me did some research and found some filters, both free and commercial (and some a bit outdated). After trying one commercial, it proved crap. It couldn't even capture right way the parameters (was taking the URI instead of full URL, so querystring was ignored, to give one of multiple examples). We grew desperate and started searching for more filters like Mod_rewrite in Apache.

That was, until we came across Ionic's Isapi Rewrite Filter (IIRF), an opensource ISAPI filter written in Visual C++, which uses Perl-compatible regular expressions to define the rules and conditions for rewriting (or redirecting) URLs.

The installation is simple, so I won't go deep on it (read the included readme.txt, it is just adding a new ISAPI filter to IIS pointing to the filter's DLL file).

Interesting stuff comes after that, configuring the IsapiRewrite4.ini, which holds all the regular expressions (rules) for matching and replacing.

They are used much like the mentioned before Mod_rewrite, allowing for quite interesting stuff. Here are a few simple examples:

RewriteRule (.*)(<|%3c)(script|%73%63%72%69%70%74)(>|%3e)(.*) /incorrecturl.aspx [I,L]
This rule blocks all <script> tags (either normal or URL-encoded), ignoring case ([I] modifier)

RewriteRule (.*)%00(.*) $1$2 [I]
This rule avoids nulls, used for example to avoid detection of tags, for example: javas%00cript:
Note: Here the [L] modifier is omited to allow multiple replacements (if placed it would only remove the first null found)

RewriteRule (.*)eval(\(|%28)(.*) /incorrecturl.aspx [I,L]
Same as the first one, this time with the "eval(" javascript function start.

 

This are just but a few rules, for a (quite large) list of common and not so common XSS attacks, you can check this ha.ckers.org XSS cheat-sheet (even with a XSS calculator/encoder!).