How to Configure WPL v1.0 SRE

RV here...

With the release of Web Protection Library v1.0 (WPL) Security Runtime Engine (SRE) has been significantly updated. It now includes a SQL Injection Detection module which can detect certain attack vectors. It also include re-designed configuration editor which enables you to easily configure SRE. The following easy steps let you configure your application to use SRE.

Step 1 : Edit Configuration

First step is to configure your application web.config file to enable SRE modules. Star the configuration editor by going to Start –> All Programs –> Microsoft Information Security –> Web Protection Library v1.0 and clicking on SRE Configuration Editor shortcut.

image

The left side tree includes list of processors configured in the current config file. By default a blank web.config with all processors are loaded in the editor. Click on File –> Open to open an existing web.config file to add the processors. The configuration tree would be empty. Right Click on the “Configuration” node in the tree and select “New –> Cross Site Scripting Protection Module” to add XSS protection module to the application. Similarly, add the “SQL Injection Partial Protection Module” to the configuration node. Click on the save icon or select File –> Save to save the configuration. The following sections are added to the configuration file.

  • configSection/section nodes for defining processor configurations
  • httpModules/add for enabling the modules
  • processor configuration sections

Step2 : Copy SRE Binaries

Once the configuration is in place, ASP.NET will now try to resolve the httpModules defined in the configuration. In case of 64-bit windows Go to %ProgramFiles(x86)%\Microsoft Information Security\Web Protection Library v1.0\SecurityRuntimeEngine or 32-bit Windows go to %ProgramFiles%\Microsoft Information Security\Web Protection Library v1.0\SecurityRuntimeEngine directory and copy all the .dll files to \bin folder of your application. Here is a brief description of files found in this directory.

image

Don’t copy the SqlLibInstaller.msi as this is going to install the SQL Parser libraries on the machine.

Step 3: Test

Once you copy the binaries, SRE should automatically encode the controls being rendered on the page. It should also detect an SQL Injection Attempts as shown below. In case of XSS attack, inputs are automatically encoded by the Anti-XSS processor.

image

Similarly following exception is thrown when SQL queries are detected in the input.

image

You can handle this exception with custom errors page and provide generic information to the user. As we release new processors in WPL, we will continue to update the blog site with more how to information.

Comments

  • Anonymous
    December 02, 2009
    Hi.. I have installed the WPL Library v1.0, but when I try to configure the web.config through the SRE Configuration Editor throws an error: An unknown error ocurred while trying to save configuration. I have VS 2005, VS 2008, my OS is Windows Vista Business Edition... Thanks in advance for any comments you have.. Brenda R.

  • Anonymous
    December 02, 2009
    I'm having problems when I try to save the file, it throws an error. Which version of .NET Framework do I need? I have VS 2005, VS 2008 and Windows Vista Business Edition. Thanks for your help. Brenda R.

  • Anonymous
    December 04, 2009
    Hi Brenda, We currently have a known issue with the configuration editor where the editor tries to add the configuration sections in the web.config file. If the <configSections></configSections> element is not under <configuration> element, it will generate that error. Similarly missing <httpHandlers> under <system.web> can also generate that error. This will be fixed for the next release. Thanks Anil Revuru Information Security Tools