Defending against SQL injection....

G

Griff

I have a multi-page ASP web application that uses information sent to it
from the client in the Request.Forms collection, the Request.QueryString
collection and the Request.Cookie collection.

What I want to do is to sanitise ALL the information sent to EVERY page.

I thought I'd achieve this by having an INCLUDE file inserted at the top of
EVERY page.

This include file iterates through EVERY form, querystring and cookie item
and removes anything that looks like malicious SQL injections from the
values. Having completed this task, the many web pages then access the
sanitised Request object with impunity.

One minor drawback is that it doesn't seem to work...I can't update the
Request object with the sanitised value. [Error message: VBScript runtime
error: Object doesn't suppor this property or method]

Either it's something silly in my coding or it's the wrong
approach....please advise accordingly (code below).

Thanks

Griff
---------------------------------------------------------------------------------------------
Dim asSQLInjectionWords ' Array to hold the injection keywords
Dim oRequestItemName ' Item in the request object (form, querystring and
cookies)
Dim vValue ' Item value

' Populate the array
populateArray asSQLInjectionWords

' Sanitise the request form objects
for each oRequestItemName in Request.Form
' Load the value
vValue = Request.Form(oRequestItemName)
' sanitise the request item value
Request.Form(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
vValue)
next 'oRequestItem

' Sanitise the request query string objects
for each oRequestItemName in Request.QueryString
' Load the value
vValue = Request.QueryString(oRequestItemName)
' sanitise the request item value
Request.QueryString(oRequestItemName) =
sanitiseItemValue(asSQLInjectionWords, vValue)
next 'oRequestItem

' Sanitise the request cookie objects
for each oRequestItemName in Request.Cookies
' Load the value
vValue = Request.Cookies(oRequestItemName)
' sanitise the request item value
Request.Cookies(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
vValue)
next 'oRequestItem

' Erase the array
erase asSQLInjectionWords


' -------------------------------------------------------------
private function sanitiseItemValue(byRef injectionArray, byVal vValue)
Dim iArrayCounter
Dim aRequestItem

' Iterate through the sql injection array
for iArrayCounter = 0 to ubound(injectionArray)
' Split the request item's value around the SQL injection term
aRequestItem = split(vValue, injectionArray(iArrayCounter))

' Rebuild the request item with out the SQL injection term
vValue = join(aRequestItem, vbNullString)

next
' Return sanitised value
sanitiseItemValue = vValue
end function
' -------------------------------------------------------------
private sub populateArray(byRef injectionArray)
injectionArray = Array(_
"/", _
"\", _
"'", _
"""", _
";", _
"=", _
"--", _
"*", _
".", _
"create", _
"dbcc", _
"dbo", _
"delete", _
"drop", _
"exec", _
"index", _
"insert", _
"from", _
"having", _
"inner", _
"join", _
"master", _
"model", _
"msdb", _
"null", _
"table", _
"tables", _
"tempdb", _
"truncate", _
"union", _
"update", _
"where", _
"xp_cmdshell", _
"xp_startmail", _
"xp_sendmail", _
"xp_makewebtask")
end sub
' -------------------------------------------------------------
 
M

mark | r

easiest thing is to make the usernames or passwords hard to reproduce

btw we were asked to try and hack a leading recuitment agencies website - it
only took 15 mins to guess the password "letmein"

ho hum

mark

Griff said:
I have a multi-page ASP web application that uses information sent to it
from the client in the Request.Forms collection, the Request.QueryString
collection and the Request.Cookie collection.

What I want to do is to sanitise ALL the information sent to EVERY page.

I thought I'd achieve this by having an INCLUDE file inserted at the top of
EVERY page.

This include file iterates through EVERY form, querystring and cookie item
and removes anything that looks like malicious SQL injections from the
values. Having completed this task, the many web pages then access the
sanitised Request object with impunity.

One minor drawback is that it doesn't seem to work...I can't update the
Request object with the sanitised value. [Error message: VBScript runtime
error: Object doesn't suppor this property or method]

Either it's something silly in my coding or it's the wrong
approach....please advise accordingly (code below).

Thanks

Griff
-------------------------------------------------------------------------- -------------------
Dim asSQLInjectionWords ' Array to hold the injection keywords
Dim oRequestItemName ' Item in the request object (form, querystring and
cookies)
Dim vValue ' Item value

' Populate the array
populateArray asSQLInjectionWords

' Sanitise the request form objects
for each oRequestItemName in Request.Form
' Load the value
vValue = Request.Form(oRequestItemName)
' sanitise the request item value
Request.Form(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
vValue)
next 'oRequestItem

' Sanitise the request query string objects
for each oRequestItemName in Request.QueryString
' Load the value
vValue = Request.QueryString(oRequestItemName)
' sanitise the request item value
Request.QueryString(oRequestItemName) =
sanitiseItemValue(asSQLInjectionWords, vValue)
next 'oRequestItem

' Sanitise the request cookie objects
for each oRequestItemName in Request.Cookies
' Load the value
vValue = Request.Cookies(oRequestItemName)
' sanitise the request item value
Request.Cookies(oRequestItemName) = sanitiseItemValue(asSQLInjectionWords,
vValue)
next 'oRequestItem

' Erase the array
erase asSQLInjectionWords


' -------------------------------------------------------------
private function sanitiseItemValue(byRef injectionArray, byVal vValue)
Dim iArrayCounter
Dim aRequestItem

' Iterate through the sql injection array
for iArrayCounter = 0 to ubound(injectionArray)
' Split the request item's value around the SQL injection term
aRequestItem = split(vValue, injectionArray(iArrayCounter))

' Rebuild the request item with out the SQL injection term
vValue = join(aRequestItem, vbNullString)

next
' Return sanitised value
sanitiseItemValue = vValue
end function
' -------------------------------------------------------------
private sub populateArray(byRef injectionArray)
injectionArray = Array(_
"/", _
"\", _
"'", _
"""", _
";", _
"=", _
"--", _
"*", _
".", _
"create", _
"dbcc", _
"dbo", _
"delete", _
"drop", _
"exec", _
"index", _
"insert", _
"from", _
"having", _
"inner", _
"join", _
"master", _
"model", _
"msdb", _
"null", _
"table", _
"tables", _
"tempdb", _
"truncate", _
"union", _
"update", _
"where", _
"xp_cmdshell", _
"xp_startmail", _
"xp_sendmail", _
"xp_makewebtask")
end sub
' -------------------------------------------------------------
Click to expand...
 
G

Griff

easiest thing is to make the usernames or passwords hard to reproduce
Click to expand...

I'm sure that it is....but, I'd like to detect when someone's trying to hack
the system. If I detect SQL injection in the request objects then it can
alert me to the fact.

So, any ideas on my original post anyone?

Thanks

Griff
 
B

Bob Barrows [MVP]

Griff said:
I have a multi-page ASP web application that uses information sent to
it from the client in the Request.Forms collection, the
Request.QueryString collection and the Request.Cookie collection.

What I want to do is to sanitise ALL the information sent to EVERY
page.
I thought I'd achieve this by having an INCLUDE file inserted at the
top of EVERY page.

This include file iterates through EVERY form, querystring and cookie
item and removes anything that looks like malicious SQL injections from
the
values. Having completed this task, the many web pages then access
the sanitised Request object with impunity.

One minor drawback is that it doesn't seem to work...I can't update
the Request object with the sanitised value. [Error message: VBScript
runtime error: Object doesn't suppor this property or method]

Either it's something silly in my coding or it's the wrong
approach....please advise accordingly (code below).
Click to expand...

It's the wrong aproach. The Request object is read-only. You cannot modify
it. You can find the documentation at msdn.microsoft.com/library.

Stop worrying about SQL Injection. Use parameters, not dynamic sql. SQL
Injection depends on the use of dynamic sql. When you stop using dynamic
sql, hackers have to find another way to compromise your site.

This is not to say you should not validate the data resulting from user
input: validation is important for preventing errors (datatype mismatch,
missing data, etc.) and detecting hacker probes. Check this out:
http://groups-beta.google.com/group..."Spy+vs.+Spy"+McGinty&rnum=2#8ac1d417d8ecdba6


HTH,
Bob Barrows
 
M

mark | r

if request.form contains "and 1 = 1" then get ip address and inputted
username and save

or if request.form does not contain username AND password ...

mark
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SQL Injection 4
Survey details won't go through using php, ajax, Mysql 0
checking POST vars for SQL INJECTION 1
SQL Injection and preventing querystring abuse 7
MS SQL ASP Update timestamp 4
Collect Excel Data from Website 5
Using Arrays to write data to SQL Server 2
Working with an array 5

Members online

Total: 38 (members: 1, guests: 37)
Robots: 512

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top