ASP Data Sanitizing

Started by Cobra, September 06, 2005, 05:06:07 AM

Previous topic - Next topic
September 06, 2005, 05:06:07 AM Last Edit: September 06, 2005, 05:08:49 AM by Cobra
Okay! I've been writing a paper on Black Box Testing Web Applications for a while now, and have been doing a bit of "research" for the paper.

Now being as i work as a web applications developer it is hilarious to see some of the mistakes being made..

But 2 mistakes that are showing up ALL the time in ASP apps (in PHP as well) is SQL & Variable Injection vulnerabilities.

I have checked some very high profile sites for these problems and you would be surprised at how many crop up.

So as part of my rant!

Firstly .. ""DON'T"" be lazy and just use
Code  ASP Select
request("parm")

specify the fuckin source..

Second..
If you are passing strings to an SQLstatement .. CHECK YOUR FUCKING DATA!
A VBs function is all it takes,
Code  ASP Select
Function strReplaceChar(strTxt)

  If strTxt = "" then Exit Function
  
         strTxt = Replace(strTxt, "'", "'")
       strTxt = Replace(strTxt, chr(34), """)
       strTxt = Replace(strTxt, "%", "%")
       strTxt = Replace(strTxt, "*", "*") 
       strTxt = Replace(strTxt, "[", "[")
       strTxt = Replace(strTxt, "]", "]")
       
    strReplaceChar = strTxt
End Function


Third of all.. and i have seen this happen a lot. I have told people to check their data etc etc.. However they seem to think running that function on numeric values is going to save their ass .. HOW!! .. HOWW!!!!

If your database field type is INT or any sort of a numeric variation, and someone has changed the parm value to includes chars, then your database and app are going to cough up a kidney onto your screen.

So make sure to use
Code  ASP Select
IsNumber()

before sending it to your SQL statement.

Just a basic level of data sanitizing, but it will save a lot of hassle later.

It is crazy how many massive websites don't even perform this basic level of checking on their data before passing it to their SQL.

Okay .. my rant is over..
I am not suffering with insanity... I am loving every minute of it.

Actually this has some good value for all languages.

If you're going to be using larger numbers than an int, then specify that. If you're using numbers, do check that you receive numbers. Don't dereference invalid pointers, etc.

Always check your data (especially user input)!

Of course, in C it's a bit different, but the main point is: always run sanity checks.

I personally believe that MS teaches bad style (at least for those who only know windows). They don't follow standards, and many other things that teach faulty practices.

And of course all those layers of patches prove that they can't code in a clean way ... which is a damn shame, since if they cared they could; they have the time and money but all they want is to do things 'their way'.

Another example is the 'void main' versus 'int main' (it's int, damnit!)

Could go on forever ....
"My Terminal is my Soul"

SMF spam blocked by CleanTalk