headbump
asked on
SQL injection retrofit solution for pages in ASP Javascript
Hi all,
One of my classic ASP sites was the victim of a SQL injection attack...it's written in ASP Javascript and connects to a SQL Server 7 db and I've looked up a possible safeguard from kevp on this forum found here:
https://www.experts-exchange.com/questions/21981569/How-to-prevent-sql-injection.html?eeSearch=true
My question is this...can his solution be implemented on my ASP Javascript pages? And if it can, can someone give me an example?
I don't really have any form field input on my pages, but we did discover that the db user that we were using to connect to the db with had write priviledges...we changed that right away, and I guess what I'm wondering is if I have to do much else if all my pages do is call info from the db...here is an example of a recordset which provides info to an area of my page:
<%
var rsQuickLinks = Server.CreateObject("ADODB .Recordset ");
rsQuickLinks.ActiveConnect ion = MM_xx_STRING;
rsQuickLinks.Source = "SELECT * FROM dbo.tblQuickLinks WHERE Status <> '0' ORDER BY SortOrder ASC";
rsQuickLinks.CursorType = 0;
rsQuickLinks.CursorLocatio n = 2;
rsQuickLinks.LockType = 1;
rsQuickLinks.Open();
var rsQuickLinks_numRows = 0;
%>
and then it is called here:
<% if (!rsQuickLinks.EOF || !rsQuickLinks.BOF) { %>
<tr>
<td colspan="2"><img src="images/quicklinkshead er.gif" alt="Quick Links Column Heading" width="134" height="33"></td>
<td> </td>
</tr>
<% while ((Repeat2__numRows-- != 0) && (!rsQuickLinks.EOF)) { %>
<tr>
<td width="20" valign="top"><img src="images/bullet.gif" alt="" width="20" height="20"></td>
<td><span class="announcementtitle"> <a href="<%=(rsQuickLinks.Fie lds.Item(" QuickLink" ).Value)%> " target="<%=(rsQuickLinks.F ields.Item ("LinkTarg et").Value )%>"><%=(r sQuickLink s.Fields.I tem("Quick LinkDescri ption").Va lue)%></a> </span></t d>
</tr>
<%
Repeat2__index++;
rsQuickLinks.MoveNext();
}
%>
Some of this data then links to detail pages utilizing query strings...
thanks so much and if I could award 5,000 pts for this I would...
H
One of my classic ASP sites was the victim of a SQL injection attack...it's written in ASP Javascript and connects to a SQL Server 7 db and I've looked up a possible safeguard from kevp on this forum found here:
https://www.experts-exchange.com/questions/21981569/How-to-prevent-sql-injection.html?eeSearch=true
My question is this...can his solution be implemented on my ASP Javascript pages? And if it can, can someone give me an example?
I don't really have any form field input on my pages, but we did discover that the db user that we were using to connect to the db with had write priviledges...we changed that right away, and I guess what I'm wondering is if I have to do much else if all my pages do is call info from the db...here is an example of a recordset which provides info to an area of my page:
<%
var rsQuickLinks = Server.CreateObject("ADODB
rsQuickLinks.ActiveConnect
rsQuickLinks.Source = "SELECT * FROM dbo.tblQuickLinks WHERE Status <> '0' ORDER BY SortOrder ASC";
rsQuickLinks.CursorType = 0;
rsQuickLinks.CursorLocatio
rsQuickLinks.LockType = 1;
rsQuickLinks.Open();
var rsQuickLinks_numRows = 0;
%>
and then it is called here:
<% if (!rsQuickLinks.EOF || !rsQuickLinks.BOF) { %>
<tr>
<td colspan="2"><img src="images/quicklinkshead
<td> </td>
</tr>
<% while ((Repeat2__numRows-- != 0) && (!rsQuickLinks.EOF)) { %>
<tr>
<td width="20" valign="top"><img src="images/bullet.gif" alt="" width="20" height="20"></td>
<td><span class="announcementtitle">
</tr>
<%
Repeat2__index++;
rsQuickLinks.MoveNext();
}
%>
Some of this data then links to detail pages utilizing query strings...
thanks so much and if I could award 5,000 pts for this I would...
H
well i dont know if this will be any help but we have also been hit with an SQL injection and the way we are getting round it is that one of our team have written a procedure to clean the data. and me and another programmer have been turning all the sql statements into stored procedures.
add this code to the to a inculde that is called in all pages
<%
Dim pos
Dim sqlArray
Dim idx
Dim InjectionFound
sqlArray = "select%20|delete%20|updat e%20|inser t%20|creat e%20|alter %20|drop%2 0|truncate %20|sp_|de clare%20|e xec("
idx = split(sqlArray,"|")
InjectionFound = false
for i = 0 to ubound(idx)
'Response.Write(idx(i))
pos=InStr(1,UCase(Request. QueryStrin g),UCase(i dx(i)),0)
if pos <> 0 then
InjectionFound = true
exit for
else
InjectionFound = false
end if
next
if InjectionFound = false then
'Response.Write("Injection (s) Not Found")
else
Response.Redirect("/")
Response.end
end if
%>
<%
Dim pos
Dim sqlArray
Dim idx
Dim InjectionFound
sqlArray = "select%20|delete%20|updat
idx = split(sqlArray,"|")
InjectionFound = false
for i = 0 to ubound(idx)
'Response.Write(idx(i))
pos=InStr(1,UCase(Request.
if pos <> 0 then
InjectionFound = true
exit for
else
InjectionFound = false
end if
next
if InjectionFound = false then
'Response.Write("Injection
else
Response.Redirect("/")
Response.end
end if
%>
this is SQL Injection done via Query string.
https://www.experts-exchange.com/questions/23411125/Cleaning-Up-SQL-Injection-Attack-http-www-banner82-com-b-js-script.html
to replace
https://www.experts-exchange.com/questions/23463205/Search-complete-database-and-replace-string.html?cid=236&anchorAnswerId=21729180#a21729180
https://www.experts-exchange.com/questions/23411125/Cleaning-Up-SQL-Injection-Attack-http-www-banner82-com-b-js-script.html
to replace
https://www.experts-exchange.com/questions/23463205/Search-complete-database-and-replace-string.html?cid=236&anchorAnswerId=21729180#a21729180
ASKER
Thanks for the replies...dosth, can I implement your include on an ASP Javascript page?
thanks,
H
thanks,
H
yes, just add this to a include and call the include as top
ASKER
dosth,
I tried it as an include before the language declaration:
<!--#include file="includes/sql_injecti on_chk.asp " -->
<%@LANGUAGE="JAVASCRIPT"%>
<!--#include file="Connections/xxx.asp" -->
Below the language declaration and then tried to include the code on the page in both positions as well, but I get an internal server error each time...
I removed it and can see the page however..
thanks,
H
I tried it as an include before the language declaration:
<!--#include file="includes/sql_injecti
<%@LANGUAGE="JAVASCRIPT"%>
<!--#include file="Connections/xxx.asp"
Below the language declaration and then tried to include the code on the page in both positions as well, but I get an internal server error each time...
I removed it and can see the page however..
thanks,
H
for javascript you need to change the code, the one you have is for VBSCript
i will edit that and give you
i will edit that and give you
ASKER
dosth,
Thanks!
Thanks!
ASKER
thanks dosth, if you are super busy please let me know if I should post for rewriting in the Javascript zone...thanks again,
H
H
instead of this you can write what ever you want, if you want to redirect to home page change this lines in my script
Response.Write("Redirect") ;
Response.end
<%@LANGUAGE="JAVASCRIPT"%>
<%
var qString = "";
var pos,sqlArray,idx,Injection Found,val;
sqlArray = "select%20|delete%20|updat e%20|inser t%20|creat e%20|alter %20|drop%2 0|truncate %20|sp_|de clare%20|e xec|varcha r|nvarchar ";
idx = sqlArray.split("|");
InjectionFound = false;
qString = qString + Request.QueryString();
var str=idx[0];
for (i = 0; i < idx.length; i++)
{
pos = qString.search(idx[i]);
if(pos >= 0)
{
Response.Write("Redirect") ;
Response.end
}
}
%>
Response.Write("Redirect")
Response.end
<%@LANGUAGE="JAVASCRIPT"%>
<%
var qString = "";
var pos,sqlArray,idx,Injection
sqlArray = "select%20|delete%20|updat
idx = sqlArray.split("|");
InjectionFound = false;
qString = qString + Request.QueryString();
var str=idx[0];
for (i = 0; i < idx.length; i++)
{
pos = qString.search(idx[i]);
if(pos >= 0)
{
Response.Write("Redirect")
Response.end
}
}
%>
In order to guard against SQL injection, one must look at the source of the problem, the code itself.
1. Stored Procedures must be implemented (Parameterized Queries)
2. Use a static test tool for VS in order to find possible SQL injection flaws.
3. Use a filter with a black list of special characters, SQL statements, etc that will filter every request for bad input. (for asp.net you can use the Data Validator, which i believe is turned on by default)
4. Run on a least privileged account. If you are only retrieving data, you don't need to allow insert, delete statements.
I must point out that SQL statements stored in javascripts in the html are a very very bad idea. That way, the attacker can gather detailed information about the system (table names, columns, etc.
1. Stored Procedures must be implemented (Parameterized Queries)
2. Use a static test tool for VS in order to find possible SQL injection flaws.
3. Use a filter with a black list of special characters, SQL statements, etc that will filter every request for bad input. (for asp.net you can use the Data Validator, which i believe is turned on by default)
4. Run on a least privileged account. If you are only retrieving data, you don't need to allow insert, delete statements.
I must point out that SQL statements stored in javascripts in the html are a very very bad idea. That way, the attacker can gather detailed information about the system (table names, columns, etc.
ASKER
thanks dosth and monobo3,
So monobo3, does this mean that if I implement dosth's solution it will not be adequate?
I should look at turning every SQL request into a sproc and then call that sproc?
thanks,
H
So monobo3, does this mean that if I implement dosth's solution it will not be adequate?
I should look at turning every SQL request into a sproc and then call that sproc?
thanks,
H
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for everyone's help...I will post again when I am ready to parameterize my queries..
thanks,
H
thanks,
H
thanks J
dosth
dosth
headbump, dosth's solution is secure, however, you should consider additional solution as well, so the application can be 99% secure.
You should always solve the root of the problem, not just the tip of the iceberg.
You should always solve the root of the problem, not just the tip of the iceberg.
ASKER
monobo3,
Thanks and I agree...am working on parameterizing queries and creating stored procs...
thanks again,
H
Thanks and I agree...am working on parameterizing queries and creating stored procs...
thanks again,
H