September 21, 2017, 10:40:38 PM

Author Topic: ASP Data Sanitizing  (Read 5779 times)

0 Members and 1 Guest are viewing this topic.

Offline Cobra

  • cool?
  • Administrator
  • Seasoned Poster
  • *****
  • Posts: 447
  • Country:
  • Gender: Male
  • My mom says im cool!
ASP Data Sanitizing
« on: September 06, 2005, 05:06:07 AM »
Okay! I've been writing a paper on Black Box Testing Web Applications for a while now, and have been doing a bit of "research" for the paper.

Now being as i work as a web applications developer it is hilarious to see some of the mistakes being made..

But 2 mistakes that are showing up ALL the time in ASP apps (in PHP as well) is SQL & Variable Injection vulnerabilities.

I have checked some very high profile sites for these problems and you would be surprised at how many crop up.

So as part of my rant!

Firstly .. ""DON'T"" be lazy and just use
Code: ASP
  1. request("parm")
specify the fuckin source..

Second..
If you are passing strings to an SQLstatement .. CHECK YOUR FUCKING DATA!
A VBs function is all it takes,
Code: ASP
  1.  Function strReplaceChar(strTxt)
  2.  
  3.   If strTxt = "" then Exit Function
  4.  
  5.          strTxt = Replace(strTxt, "'", "'")
  6.        strTxt = Replace(strTxt, chr(34), """)
  7.        strTxt = Replace(strTxt, "%", "%")
  8.        strTxt = Replace(strTxt, "*", "*")
  9.        strTxt = Replace(strTxt, "[", "[")
  10.        strTxt = Replace(strTxt, "]", "]")
  11.        
  12.     strReplaceChar = strTxt
  13. End Function
  14.  

Third of all.. and i have seen this happen a lot. I have told people to check their data etc etc.. However they seem to think running that function on numeric values is going to save their ass .. HOW!! .. HOWW!!!!

If your database field type is INT or any sort of a numeric variation, and someone has changed the parm value to includes chars, then your database and app are going to cough up a kidney onto your screen.

So make sure to use
Code: ASP
  1. IsNumber()
before sending it to your SQL statement.

Just a basic level of data sanitizing, but it will save a lot of hassle later.

It is crazy how many massive websites don't even perform this basic level of checking on their data before passing it to their SQL.

Okay .. my rant is over..
« Last Edit: September 06, 2005, 05:08:49 AM by Cobra »
I am not suffering with insanity... I am loving every minute of it.

Offline Metgod

  • the deranged hacker
  • Administrator
  • Forum Hero
  • *****
  • Posts: 1114
  • Country:
  • Gender: Male
Re:ASP Data Sanitizing
« Reply #1 on: September 06, 2005, 08:57:13 AM »
Actually this has some good value for all languages.

If you're going to be using larger numbers than an int, then specify that. If you're using numbers, do check that you receive numbers. Don't dereference invalid pointers, etc.

Always check your data (especially user input)!

Of course, in C it's a bit different, but the main point is: always run sanity checks.

I personally believe that MS teaches bad style (at least for those who only know windows). They don't follow standards, and many other things that teach faulty practices.

And of course all those layers of patches prove that they can't code in a clean way ... which is a damn shame, since if they cared they could; they have the time and money but all they want is to do things 'their way'.

Another example is the 'void main' versus 'int main' (it's int, damnit!)

Could go on forever ....
"My Terminal is my Soul"