I bought a web app that does not use special characters. In reviewing my logs, I am seeing probing by threat actors who attempt to see if my site is vulnerable to SQL injection by adding apostrophes and other char() characters that are never normally used. I trust the security of my app (mostly), but wanted to see if a rewrite rule or some other methodology would black-hole their request. My web app gives out its standard error. I am looking for rules or ideas to 1.) give the attacker as little info as possible without 2.) adding a lot of overhead to the server. There are lots of rewrite rule examples out there, but none that I have found that deal with this angle.
Simple Example of the probing: https://sub.domain.com/default.aspx?page=3500'A=0&Id=497066
Something like this? It will weed out some of the nastier SQL characters.
This will abort the request if any of the characters
'();appear in the query string.No SQL Injection rule