I have a multi-page ASP web application that uses information sent to it
from the client in the Request.Forms collection, the Request.QueryString
collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of
EVERY page.
This include file iterates through EVERY form, querystring and cookie item
and removes anything that looks like malicious SQL injections from the
values. Having completed this task, the many web pages then access the
sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the
Request object with the sanitised value. [Error message: VBScript runtime
error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong
approach....please advise accordingly (code below).
Thanks
Griff
---------------------------------------------------------------------------------------------
Dim asSQLInjectionWords ' Array to hold the injection keywords
Dim oRequestItemName ' Item in the request object (form, querystring and
cookies)
Dim vValue ' Item value
' Populate the array
populateArray asSQLInjectionWords
' Sanitise the request form objects
for each oRequestItemName in Request.Form
' Load the value
vValue = Request.Form(oRequestItemName)
' sanitise the request item value
Request.Form(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
vValue)
next 'oRequestItem
' Sanitise the request query string objects
for each oRequestItemName in Request.QueryString
' Load the value
vValue = Request.QueryString(oRequestItemName)
' sanitise the request item value
Request.QueryString(oRequestItemName) =
sanitiseItemValue(asSQLInjectionWords, vValue)
next 'oRequestItem
' Sanitise the request cookie objects
for each oRequestItemName in Request.Cookies
' Load the value
vValue = Request.Cookies(oRequestItemName)
' sanitise the request item value
Request.Cookies(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
vValue)
next 'oRequestItem
' Erase the array
erase asSQLInjectionWords
' -------------------------------------------------------------
private function sanitiseItemValue(byRef injectionArray, byVal vValue)
Dim iArrayCounter
Dim aRequestItem
' Iterate through the sql injection array
for iArrayCounter = 0 to ubound(injectionArray)
' Split the request item's value around the SQL injection term
aRequestItem = split(vValue, injectionArray(iArrayCounter))
' Rebuild the request item with out the SQL injection term
vValue = join(aRequestItem, vbNullString)
next
' Return sanitised value
sanitiseItemValue = vValue
end function
' -------------------------------------------------------------
private sub populateArray(byRef injectionArray)
injectionArray = Array(_
"/", _
"\", _
"'", _
"""", _
";", _
"=", _
"--", _
"*", _
".", _
"create", _
"dbcc", _
"dbo", _
"delete", _
"drop", _
"exec", _
"index", _
"insert", _
"from", _
"having", _
"inner", _
"join", _
"master", _
"model", _
"msdb", _
"null", _
"table", _
"tables", _
"tempdb", _
"truncate", _
"union", _
"update", _
"where", _
"xp_cmdshell", _
"xp_startmail", _
"xp_sendmail", _
"xp_makewebtask")
end sub
' ------------------------------------------------------------- 4 1643
easiest thing is to make the usernames or passwords hard to reproduce
btw we were asked to try and hack a leading recuitment agencies website - it
only took 15 mins to guess the password "letmein"
ho hum
mark
"Griff" <Ho*****@The.Moon> wrote in message
news:ef**************@TK2MSFTNGP12.phx.gbl... I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top
of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).
Thanks
Griff --------------------------------------------------------------------------
------------------- Dim asSQLInjectionWords ' Array to hold the injection keywords Dim oRequestItemName ' Item in the request object (form, querystring and cookies) Dim vValue ' Item value
' Populate the array populateArray asSQLInjectionWords
' Sanitise the request form objects for each oRequestItemName in Request.Form ' Load the value vValue = Request.Form(oRequestItemName) ' sanitise the request item value Request.Form(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords, vValue) next 'oRequestItem
' Sanitise the request query string objects for each oRequestItemName in Request.QueryString ' Load the value vValue = Request.QueryString(oRequestItemName) ' sanitise the request item value Request.QueryString(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords, vValue) next 'oRequestItem
' Sanitise the request cookie objects for each oRequestItemName in Request.Cookies ' Load the value vValue = Request.Cookies(oRequestItemName) ' sanitise the request item value Request.Cookies(oRequestItemName) =
sanitiseItemValue(asSQLInjectionWords, vValue) next 'oRequestItem
' Erase the array erase asSQLInjectionWords
' ------------------------------------------------------------- private function sanitiseItemValue(byRef injectionArray, byVal vValue) Dim iArrayCounter Dim aRequestItem
' Iterate through the sql injection array for iArrayCounter = 0 to ubound(injectionArray) ' Split the request item's value around the SQL injection term aRequestItem = split(vValue, injectionArray(iArrayCounter))
' Rebuild the request item with out the SQL injection term vValue = join(aRequestItem, vbNullString)
next ' Return sanitised value sanitiseItemValue = vValue end function ' ------------------------------------------------------------- private sub populateArray(byRef injectionArray) injectionArray = Array(_ "/", _ "\", _ "'", _ """", _ ";", _ "=", _ "--", _ "*", _ ".", _ "create", _ "dbcc", _ "dbo", _ "delete", _ "drop", _ "exec", _ "index", _ "insert", _ "from", _ "having", _ "inner", _ "join", _ "master", _ "model", _ "msdb", _ "null", _ "table", _ "tables", _ "tempdb", _ "truncate", _ "union", _ "update", _ "where", _ "xp_cmdshell", _ "xp_startmail", _ "xp_sendmail", _ "xp_makewebtask") end sub ' -------------------------------------------------------------
easiest thing is to make the usernames or passwords hard to reproduce
I'm sure that it is....but, I'd like to detect when someone's trying to hack
the system. If I detect SQL injection in the request objects then it can
alert me to the fact.
So, any ideas on my original post anyone?
Thanks
Griff
Griff wrote: I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page. I thought I'd achieve this by having an INCLUDE file inserted at the top of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).
It's the wrong aproach. The Request object is read-only. You cannot modify
it. You can find the documentation at msdn.microsoft.com/library.
Stop worrying about SQL Injection. Use parameters, not dynamic sql. SQL
Injection depends on the use of dynamic sql. When you stop using dynamic
sql, hackers have to find another way to compromise your site.
This is not to say you should not validate the data resulting from user
input: validation is important for preventing errors (datatype mismatch,
missing data, etc.) and detecting hacker probes. Check this out: http://groups-beta.google.com/group/...c1d417d8ecdba6
HTH,
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
if request.form contains "and 1 = 1" then get ip address and inputted
username and save
or if request.form does not contain username AND password ...
mark
"Griff" <Ho*****@The.Moon> wrote in message
news:e5**************@TK2MSFTNGP09.phx.gbl... easiest thing is to make the usernames or passwords hard to reproduce I'm sure that it is....but, I'd like to detect when someone's trying to
hack the system. If I detect SQL injection in the request objects then it can alert me to the fact.
So, any ideas on my original post anyone?
Thanks
Griff
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: rcb845 |
last post by:
Hi everybody Javascript specialist,
I am relatively new in Javascript world. I have a problem to solve and
I hope one of you can help me.
I am building a validation system, i.e. I want to...
|
by: sashi |
last post by:
hi everyone,
Below is a simple function that will give you some protection against an SQL Injection attempt.
what is SQL injection?
SQL injection is a security vulnerability that occurs in...
|
by: Tor Erik Soenvisen |
last post by:
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'",...
|
by: kirby.urner |
last post by:
Cyber-curricula have a leveling aspect, as kids
nearer Katrina's epicenter tune in and bliss out
on 'Warriors of the Net' (why wait for stupid big
dummy textbooks to catch up?). They feel more...
|
by: JBiggsCC |
last post by:
I have a very simple login page which takes an ID number via a HTML
form GET. What is easiest way to check that ID number against an
Access DB to see if it exists?
I want to redirect with the...
|
by: yawnmoth |
last post by:
Say I have the following in a PHP script of mine:
$sr=ldap_search($ds, "", "(& (sn=$_GET) (givenName=
$_GET*))");
If $_GET contains a ), an attacker could escape out of the
first part of the...
|
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username...
|
by: anojjona |
last post by:
Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge...
|
by: kkshansid |
last post by:
i have a database as
table name school
field name location
eg in location column data
green school,tagore garden,chink road,jammu
i want to make search on location such that when user enter ...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |