Solved

SQL injection retrofit solution for pages in ASP Javascript

Posted on 2008-06-26
17
494 Views
Last Modified: 2010-04-21
Hi all,

One of my classic ASP sites was the victim of a SQL injection attack...it's written in ASP Javascript and connects to a SQL Server 7 db and I've looked up a possible safeguard from kevp on this forum found here:

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/ASP/Q_21981569.html?eeSearch=true

My question is this...can his solution be implemented on my ASP Javascript pages? And if it can, can someone give me an example?

I don't really have any form field input on my pages, but we did discover that the db user that we were using to connect to the db with had write priviledges...we changed that right away, and I guess what I'm wondering is if I have to do much else if all my pages do is call info from the db...here is an example of a  recordset which provides info to an area of my page:

<%
var rsQuickLinks = Server.CreateObject("ADODB.Recordset");
rsQuickLinks.ActiveConnection = MM_xx_STRING;
rsQuickLinks.Source = "SELECT *  FROM dbo.tblQuickLinks  WHERE Status <> '0' ORDER BY SortOrder ASC";
rsQuickLinks.CursorType = 0;
rsQuickLinks.CursorLocation = 2;
rsQuickLinks.LockType = 1;
rsQuickLinks.Open();
var rsQuickLinks_numRows = 0;
%>

and then it is called here:

            <% if (!rsQuickLinks.EOF || !rsQuickLinks.BOF) { %>
            <tr>
                <td colspan="2"><img src="images/quicklinksheader.gif" alt="Quick Links Column Heading" width="134" height="33"></td>
                <td>&nbsp;</td>
            </tr>
            <% while ((Repeat2__numRows-- != 0) && (!rsQuickLinks.EOF)) { %>
            <tr>
              <td width="20" valign="top"><img src="images/bullet.gif" alt="" width="20" height="20"></td>
              <td><span class="announcementtitle"><a href="<%=(rsQuickLinks.Fields.Item("QuickLink").Value)%>" target="<%=(rsQuickLinks.Fields.Item("LinkTarget").Value)%>"><%=(rsQuickLinks.Fields.Item("QuickLinkDescription").Value)%></a></span></td>
            </tr>
            <%
  Repeat2__index++;
  rsQuickLinks.MoveNext();
}
%>

Some of this data then links to detail pages utilizing query strings...

thanks so much and if I could award 5,000 pts for this I would...

H
0
Comment
Question by:headbump
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 3

Expert Comment

by:darkmooink
ID: 21874727
well i dont know if this will be any help but we have also been hit with an SQL injection and the way we are getting round it is that one of our team have written a procedure to clean the data. and me and another programmer have been turning all the sql statements into stored procedures.
0
 
LVL 15

Expert Comment

by:dosth
ID: 21874787
add this code to the to a inculde that is called in all pages

<%
      Dim pos
      Dim sqlArray
      Dim idx
      Dim InjectionFound
      sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_|declare%20|exec("
      idx = split(sqlArray,"|")
      InjectionFound = false
      for i = 0 to ubound(idx)
            'Response.Write(idx(i))
            pos=InStr(1,UCase(Request.QueryString),UCase(idx(i)),0)
            if pos <> 0 then
                  InjectionFound = true            
                  exit for
            else
                  InjectionFound = false
            end if
      next
      
      if InjectionFound = false then      
            'Response.Write("Injection(s) Not Found")
      else
              Response.Redirect("/")
            Response.end
      end if
%>
0
 
LVL 15

Expert Comment

by:dosth
ID: 21874802
0
 

Author Comment

by:headbump
ID: 21874867
Thanks for the replies...dosth, can I implement your include on an ASP Javascript page?

thanks,
H
0
 
LVL 15

Expert Comment

by:dosth
ID: 21874885
yes, just add this to a include and call the include as top
0
 

Author Comment

by:headbump
ID: 21875164
dosth,

I tried it as an include before the language declaration:
<!--#include file="includes/sql_injection_chk.asp" -->
<%@LANGUAGE="JAVASCRIPT"%>
<!--#include file="Connections/xxx.asp" -->

Below the language declaration and then tried to include the code on the page in both positions as well, but I get an internal server error each time...
I removed it and can see the page however..

thanks,

H
0
 
LVL 15

Expert Comment

by:dosth
ID: 21875215
for javascript you need to change the code, the one you have is for VBSCript

i will edit that and give you
0
 

Author Comment

by:headbump
ID: 21875246
dosth,

Thanks!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:headbump
ID: 21880928
thanks dosth, if you are super busy please let me know if I should post for rewriting in the Javascript zone...thanks again,

H
0
 
LVL 15

Expert Comment

by:dosth
ID: 21881600
instead of this you can write what ever you want, if you want to redirect to home page change this lines in my script
Response.Write("Redirect");
Response.end


<%@LANGUAGE="JAVASCRIPT"%>
<%
var qString = "";
var pos,sqlArray,idx,InjectionFound,val;
sqlArray = "select%20|delete%20|update%20|insert%20|create%20|alter%20|drop%20|truncate%20|sp_|declare%20|exec|varchar|nvarchar";
idx = sqlArray.split("|");
InjectionFound = false;

qString = qString + Request.QueryString();
var str=idx[0];
for (i = 0; i < idx.length; i++)
{
      pos = qString.search(idx[i]);
      if(pos >= 0)
      {
      Response.Write("Redirect");
      Response.end
      }
}
%>
0
 

Expert Comment

by:monobo3
ID: 21881738
In order to guard against SQL injection, one must look at the source of the problem, the code itself.

1. Stored Procedures must be implemented (Parameterized Queries)
2. Use a static test tool for VS in order to find possible SQL injection flaws.
3. Use a filter with a black list of special characters, SQL statements, etc that will filter every request for bad input. (for asp.net you can use the Data Validator, which i believe is turned on by default)
4. Run on a least privileged account. If you are only retrieving data, you don't need to allow insert, delete statements.

I must point out that SQL statements stored in javascripts in the html are a very very bad idea. That way, the attacker can gather detailed information about the system (table names, columns, etc.
0
 

Author Comment

by:headbump
ID: 21882935
thanks dosth and monobo3,

So monobo3, does this mean that if I implement dosth's solution it will not be adequate?
I should look at turning every SQL request into a sproc and then call that sproc?

thanks,
H
0
 
LVL 15

Accepted Solution

by:
dosth earned 500 total points
ID: 21882953
the one i gave dont allow some one to go into the database

but the best practice is to check each and every query string input and do that as stored procedure. that will take long so my solution will fix you until you change all your pages to have correct input validation
0
 

Author Closing Comment

by:headbump
ID: 31470964
Thanks for everyone's help...I will post again when I am ready to parameterize my queries..

thanks,
H
0
 
LVL 15

Expert Comment

by:dosth
ID: 21883102
thanks J
dosth
0
 

Expert Comment

by:monobo3
ID: 21905321
headbump, dosth's solution is secure, however, you should consider additional solution as well, so the application can be 99% secure.

You should always solve the root of the problem, not just the tip of the iceberg.
0
 

Author Comment

by:headbump
ID: 21906999
monobo3,

Thanks and I agree...am working on parameterizing queries and creating stored procs...

thanks again,
H
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Thoughout my experience working on eCommerce web applications I have seen applications succumbing to increased user demand and throughput. With increased loads the response times started to spike, which leads to user frustration and lost sales. I ha…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Viewers will learn how the fundamental information of how to create a table.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now