Okay! I've been writing a paper on Black Box Testing Web Applications for a while now, and have been doing a bit of "research" for the paper.
Now being as i work as a web applications developer it is hilarious to see some of the mistakes being made..
But 2 mistakes that are showing up ALL the time in ASP apps (in PHP as well) is SQL & Variable Injection vulnerabilities.
I have checked some very high profile sites for these problems and you would be surprised at how many crop up.
So as part of my rant!
Firstly .. ""DON'T"" be lazy and just use
request("parm")specify the fuckin source..
Second..
If you are passing strings to an SQLstatement .. CHECK YOUR FUCKING DATA!
A VBs function is all it takes,
Function strReplaceChar(strTxt)
If strTxt = "" then Exit Function
strTxt = Replace(strTxt, "'", "'")
strTxt = Replace(strTxt, chr(34), """)
strTxt = Replace(strTxt, "%", "%")
strTxt = Replace(strTxt, "*", "*")
strTxt = Replace(strTxt, "[", "[")
strTxt = Replace(strTxt, "]", "]")
strReplaceChar = strTxt
End Function
Third of all.. and i have seen this happen a lot. I have told people to check their data etc etc.. However they seem to think running that function on numeric values is going to save their ass .. HOW!! .. HOWW!!!!
If your database field type is INT or any sort of a numeric variation, and someone has changed the parm value to includes chars, then your database and app are going to cough up a kidney onto your screen.
So make sure to use
IsNumber()before sending it to your SQL statement.
Just a basic level of data sanitizing, but it will save a lot of hassle later.
It is crazy how many massive websites don't even perform this basic level of checking on their data before passing it to their SQL.
Okay .. my rant is over..
