Preventing form injection on Classic ASP pages

Discussion in 'ASP General' started by bregent, Feb 10, 2006.

  1. bregent

    bregent Guest

    I've seen plenty of articles and utilities for preventing form injections for
    ASP.NET, but not too much for classic ASP. Are there any good input validation
    scripts that you use to avoid form injection attacks? I'm looking for good
    routines I can reuse on all of my form processing pages. Thanks.
     
    bregent, Feb 10, 2006
    #1
    1. Advertisements

  2. "form injection"?
    Do you mean cross-site scripting (XSS)?
     
    Bob Barrows [MVP], Feb 10, 2006
    #2
    1. Advertisements

  3. bregent

    Evertjan. Guest

    bregent wrote on 10 feb 2006 in microsoft.public.inetserver.asp.general:
    If you do not mind loosing non-alphanumeric characters,
    and don't have a user named O'Brien:

    <script runat=server language=jscript>
    function DesInjectString(s){
    return s.replace(/[^a-z\d\.,-]+/ig,'?')
    }
    </script>

    Not tested.
     
    Evertjan., Feb 10, 2006
    #3
  4. Here are some rules to follow which will prevent injection attack.

    Never build SQL code by string concatenation with input from the client.
    Apply the above rule to code found inside Stored procedures.
    Always pass input data to SQL code via Command object parameters.

    Always call Server.HTMLEncode on data retrieved from the data base before
    sending to the client.

    Avoid using hidden fields to carry meaningful state that only the server
    needs.
    Instead store the state somewhere on the server (like in the DB) and send to
    the client a unique (preferable use once only) ID.

    Anthony.
     
    Anthony Jones, Feb 10, 2006
    #4
  5. bregent

    bregent Guest

    No, I'm not too worried about XSS, just mainly sql and email injection.
     
    bregent, Feb 10, 2006
    #5
  6. For sql injection, simply avoid using concatenation to insert input values
    into sql statements. use parameters instead. I strongly advise encapsulating
    your queries in stored procedures, using parameters to pass the values to
    them. However, if you are phobic about using stored procedures, you can use
    this technique:
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    I still validate server-side, but that's mainly to discover the attack.
    Using parameters prevents the attack even if my validation misses it.

    For email-injection, I know of no way to prevent that outside of validation.
    I'm surprised you haven't come up with any scripts in your google searches,
    but the same techniques that work in .Net can usually be revised to work in
    vbscript.
     
    Bob Barrows [MVP], Feb 13, 2006
    #6
  7. bregent

    bregent Guest

    Thanks Bob, I read that and the linked articles and am beginning to understand
    how to implement these techniques. However, having never used the command
    object, what I still don't understand is exactly HOW these methods protect
    against an attack. How exactly do they prevent an attacker from inserting single
    quotes and comment marks and other malicious code into a parameter?
     
    bregent, Feb 13, 2006
    #7
  8. They don't.
    However, the fact that they are values being passed via parameter means that
    they will be treated as values instead of pieces of strings that need to be
    interpreted, so the inserted malicious code will simply be inserted into the
    database table - the query engine will make no attempt to interpret or
    execute the data.

    To see this in action, use SQL Profiler to trace what occurs when using both
    techniques.

    Do not use the fact that you are using parameters to eliminate doing
    validation. For one thing, you probably don't want that crappy data to be
    inserted into your database. For another, the attempt to insert it may raise
    an error (datatype mismatch, constraint violation, etc.) which you probably
    should avoid. For another, you might want to consider "punishing" blatant
    attacks - maybe redirect them to a page that takes 10 min. to load, etc.

    Bob Barrows
     
    Bob Barrows [MVP], Feb 13, 2006
    #8
  9. I just thought of an analogy that may help.
    vbscript has a method called Execute() which attempts to execute a string
    passed to it. Create a page with this code and run it to see what i'm
    talking about:

    <%
    Sub WriteText(sometext, moretext)
    response.write server.HTMLEncode(sometext) & "<BR>" & _
    server.HTMLEncode(moretext)
    End Sub
    dim s1, s2
    s1="try"
    s2="this "":response.write ""<script type='text/javascript'>" & _
    "alert('something bad')</script>"" '"
    WriteText s1,s2

    Response.Write "<BR><BR>Now see the difference " & _
    "using Execute()<BR><BR>"
    dim stmt
    stmt="WriteText """ & s1 & """, """ & s2 & """"
    'Response.Write server.HTMLEncode(stmt) & "<BR><BR>"
    Execute(stmt)
    %>
     
    Bob Barrows [MVP], Feb 13, 2006
    #9
  10. Not sure if this went through the first time. Even if it did, I've revised
    it to help make the distinction clearer:

    <%
    Response.Buffer=true
    Sub WriteText(sometext, moretext)
    response.write server.HTMLEncode(sometext) & "<BR>" & _
    server.HTMLEncode(moretext)
    End Sub
    dim s1, s2
    s1="try"
    s2="this "":response.write ""<script type='text/javascript'>" & _
    "alert('something bad')</script>"" '"
    Response.Write "First, see the result of just calling the " & _
    "sub, passing the text as argument values:<BR>"
    WriteText s1,s2
    Response.Write "<BR>See? No alert - text is simply written to page."
    Response.Flush
    dim i,t
    t=now
    do until datediff("s",t,now)>=4
    loop
    Response.Flush

    Response.Write "<BR><BR>Now see the difference " & _
    "using Execute()<BR><BR>"
    Response.Flush
    t=now
    do until datediff("s",t,now)>=2
    loop
    dim stmt
    stmt="WriteText """ & s1 & """, """ & s2 & """"
    'Response.Write server.HTMLEncode(stmt) & "<BR><BR>"
    Execute(stmt)
    %>
     
    Bob Barrows [MVP], Feb 13, 2006
    #10
  11. bregent

    bregent Guest

    Makes sense now. Thanks for the help Bob!


     
    bregent, Feb 13, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.