Defending against SQL injection....

Discussion in 'ASP General' started by Griff, Jul 7, 2005.

  1. Griff

    Griff Guest

    I have a multi-page ASP web application that uses information sent to it
    from the client in the Request.Forms collection, the Request.QueryString
    collection and the Request.Cookie collection.

    What I want to do is to sanitise ALL the information sent to EVERY page.

    I thought I'd achieve this by having an INCLUDE file inserted at the top of
    EVERY page.

    This include file iterates through EVERY form, querystring and cookie item
    and removes anything that looks like malicious SQL injections from the
    values. Having completed this task, the many web pages then access the
    sanitised Request object with impunity.

    One minor drawback is that it doesn't seem to work...I can't update the
    Request object with the sanitised value. [Error message: VBScript runtime
    error: Object doesn't suppor this property or method]

    Either it's something silly in my coding or it's the wrong
    approach....please advise accordingly (code below).

    Thanks

    Griff
    ---------------------------------------------------------------------------------------------
    Dim asSQLInjectionWords ' Array to hold the injection keywords
    Dim oRequestItemName ' Item in the request object (form, querystring and
    cookies)
    Dim vValue ' Item value

    ' Populate the array
    populateArray asSQLInjectionWords

    ' Sanitise the request form objects
    for each oRequestItemName in Request.Form
    ' Load the value
    vValue = Request.Form(oRequestItemName)
    ' sanitise the request item value
    Request.Form(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
    vValue)
    next 'oRequestItem

    ' Sanitise the request query string objects
    for each oRequestItemName in Request.QueryString
    ' Load the value
    vValue = Request.QueryString(oRequestItemName)
    ' sanitise the request item value
    Request.QueryString(oRequestItemName) =
    sanitiseItemValue(asSQLInjectionWords, vValue)
    next 'oRequestItem

    ' Sanitise the request cookie objects
    for each oRequestItemName in Request.Cookies
    ' Load the value
    vValue = Request.Cookies(oRequestItemName)
    ' sanitise the request item value
    Request.Cookies(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
    vValue)
    next 'oRequestItem

    ' Erase the array
    erase asSQLInjectionWords


    ' -------------------------------------------------------------
    private function sanitiseItemValue(byRef injectionArray, byVal vValue)
    Dim iArrayCounter
    Dim aRequestItem

    ' Iterate through the sql injection array
    for iArrayCounter = 0 to ubound(injectionArray)
    ' Split the request item's value around the SQL injection term
    aRequestItem = split(vValue, injectionArray(iArrayCounter))

    ' Rebuild the request item with out the SQL injection term
    vValue = join(aRequestItem, vbNullString)

    next
    ' Return sanitised value
    sanitiseItemValue = vValue
    end function
    ' -------------------------------------------------------------
    private sub populateArray(byRef injectionArray)
    injectionArray = Array(_
    "/", _
    "\", _
    "'", _
    """", _
    ";", _
    "=", _
    "--", _
    "*", _
    ".", _
    "create", _
    "dbcc", _
    "dbo", _
    "delete", _
    "drop", _
    "exec", _
    "index", _
    "insert", _
    "from", _
    "having", _
    "inner", _
    "join", _
    "master", _
    "model", _
    "msdb", _
    "null", _
    "table", _
    "tables", _
    "tempdb", _
    "truncate", _
    "union", _
    "update", _
    "where", _
    "xp_cmdshell", _
    "xp_startmail", _
    "xp_sendmail", _
    "xp_makewebtask")
    end sub
    ' -------------------------------------------------------------
    Griff, Jul 7, 2005
    #1
    1. Advertising

  2. Griff

    mark | r Guest

    easiest thing is to make the usernames or passwords hard to reproduce

    btw we were asked to try and hack a leading recuitment agencies website - it
    only took 15 mins to guess the password "letmein"

    ho hum

    mark

    "Griff" <> wrote in message
    news:...
    > I have a multi-page ASP web application that uses information sent to it
    > from the client in the Request.Forms collection, the Request.QueryString
    > collection and the Request.Cookie collection.
    >
    > What I want to do is to sanitise ALL the information sent to EVERY page.
    >
    > I thought I'd achieve this by having an INCLUDE file inserted at the top

    of
    > EVERY page.
    >
    > This include file iterates through EVERY form, querystring and cookie item
    > and removes anything that looks like malicious SQL injections from the
    > values. Having completed this task, the many web pages then access the
    > sanitised Request object with impunity.
    >
    > One minor drawback is that it doesn't seem to work...I can't update the
    > Request object with the sanitised value. [Error message: VBScript runtime
    > error: Object doesn't suppor this property or method]
    >
    > Either it's something silly in my coding or it's the wrong
    > approach....please advise accordingly (code below).
    >
    > Thanks
    >
    > Griff
    > --------------------------------------------------------------------------

    -------------------
    > Dim asSQLInjectionWords ' Array to hold the injection keywords
    > Dim oRequestItemName ' Item in the request object (form, querystring and
    > cookies)
    > Dim vValue ' Item value
    >
    > ' Populate the array
    > populateArray asSQLInjectionWords
    >
    > ' Sanitise the request form objects
    > for each oRequestItemName in Request.Form
    > ' Load the value
    > vValue = Request.Form(oRequestItemName)
    > ' sanitise the request item value
    > Request.Form(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
    > vValue)
    > next 'oRequestItem
    >
    > ' Sanitise the request query string objects
    > for each oRequestItemName in Request.QueryString
    > ' Load the value
    > vValue = Request.QueryString(oRequestItemName)
    > ' sanitise the request item value
    > Request.QueryString(oRequestItemName) =
    > sanitiseItemValue(asSQLInjectionWords, vValue)
    > next 'oRequestItem
    >
    > ' Sanitise the request cookie objects
    > for each oRequestItemName in Request.Cookies
    > ' Load the value
    > vValue = Request.Cookies(oRequestItemName)
    > ' sanitise the request item value
    > Request.Cookies(oRequestItemName) =

    sanitiseItemValue(asSQLInjectionWords,
    > vValue)
    > next 'oRequestItem
    >
    > ' Erase the array
    > erase asSQLInjectionWords
    >
    >
    > ' -------------------------------------------------------------
    > private function sanitiseItemValue(byRef injectionArray, byVal vValue)
    > Dim iArrayCounter
    > Dim aRequestItem
    >
    > ' Iterate through the sql injection array
    > for iArrayCounter = 0 to ubound(injectionArray)
    > ' Split the request item's value around the SQL injection term
    > aRequestItem = split(vValue, injectionArray(iArrayCounter))
    >
    > ' Rebuild the request item with out the SQL injection term
    > vValue = join(aRequestItem, vbNullString)
    >
    > next
    > ' Return sanitised value
    > sanitiseItemValue = vValue
    > end function
    > ' -------------------------------------------------------------
    > private sub populateArray(byRef injectionArray)
    > injectionArray = Array(_
    > "/", _
    > "\", _
    > "'", _
    > """", _
    > ";", _
    > "=", _
    > "--", _
    > "*", _
    > ".", _
    > "create", _
    > "dbcc", _
    > "dbo", _
    > "delete", _
    > "drop", _
    > "exec", _
    > "index", _
    > "insert", _
    > "from", _
    > "having", _
    > "inner", _
    > "join", _
    > "master", _
    > "model", _
    > "msdb", _
    > "null", _
    > "table", _
    > "tables", _
    > "tempdb", _
    > "truncate", _
    > "union", _
    > "update", _
    > "where", _
    > "xp_cmdshell", _
    > "xp_startmail", _
    > "xp_sendmail", _
    > "xp_makewebtask")
    > end sub
    > ' -------------------------------------------------------------
    >
    >
    mark | r, Jul 7, 2005
    #2
    1. Advertising

  3. Griff

    Griff Guest


    > easiest thing is to make the usernames or passwords hard to reproduce


    I'm sure that it is....but, I'd like to detect when someone's trying to hack
    the system. If I detect SQL injection in the request objects then it can
    alert me to the fact.

    So, any ideas on my original post anyone?

    Thanks

    Griff
    Griff, Jul 7, 2005
    #3
  4. Griff wrote:
    > I have a multi-page ASP web application that uses information sent to
    > it from the client in the Request.Forms collection, the
    > Request.QueryString collection and the Request.Cookie collection.
    >
    > What I want to do is to sanitise ALL the information sent to EVERY
    > page.
    > I thought I'd achieve this by having an INCLUDE file inserted at the
    > top of EVERY page.
    >
    > This include file iterates through EVERY form, querystring and cookie
    > item and removes anything that looks like malicious SQL injections from
    > the
    > values. Having completed this task, the many web pages then access
    > the sanitised Request object with impunity.
    >
    > One minor drawback is that it doesn't seem to work...I can't update
    > the Request object with the sanitised value. [Error message: VBScript
    > runtime error: Object doesn't suppor this property or method]
    >
    > Either it's something silly in my coding or it's the wrong
    > approach....please advise accordingly (code below).
    >


    It's the wrong aproach. The Request object is read-only. You cannot modify
    it. You can find the documentation at msdn.microsoft.com/library.

    Stop worrying about SQL Injection. Use parameters, not dynamic sql. SQL
    Injection depends on the use of dynamic sql. When you stop using dynamic
    sql, hackers have to find another way to compromise your site.

    This is not to say you should not validate the data resulting from user
    input: validation is important for preventing errors (datatype mismatch,
    missing data, etc.) and detecting hacker probes. Check this out:
    http://groups-beta.google.com/group..."Spy vs. Spy" McGinty&rnum=2#8ac1d417d8ecdba6


    HTH,
    Bob Barrows
    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
    Bob Barrows [MVP], Jul 7, 2005
    #4
  5. Griff

    mark | r Guest

    if request.form contains "and 1 = 1" then get ip address and inputted
    username and save

    or if request.form does not contain username AND password ...

    mark

    "Griff" <> wrote in message
    news:...
    >
    > > easiest thing is to make the usernames or passwords hard to reproduce

    >
    > I'm sure that it is....but, I'd like to detect when someone's trying to

    hack
    > the system. If I detect SQL injection in the request objects then it can
    > alert me to the fact.
    >
    > So, any ideas on my original post anyone?
    >
    > Thanks
    >
    > Griff
    >
    >
    mark | r, Jul 7, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Charlie Calvert

    Defending Python

    Charlie Calvert, Jul 8, 2005, in forum: Python
    Replies:
    15
    Views:
    591
    Brett g Porter
    Jul 13, 2005
  2. Tor Erik Soenvisen

    Protecting against SQL injection

    Tor Erik Soenvisen, Oct 24, 2006, in forum: Python
    Replies:
    6
    Views:
    285
    Christoph Zwerschke
    Nov 22, 2006
  3. Replies:
    0
    Views:
    323
  4. Replies:
    0
    Views:
    333
  5. Lucas Holland

    Defending Ruby's OOP

    Lucas Holland, May 10, 2007, in forum: Ruby
    Replies:
    31
    Views:
    348
    Robert Dober
    May 16, 2007
Loading...

Share This Page