Preventing SQL Injection Attacks in Classic ASP and SQL Injection tips for ASP 2.0
----------------------------------------------------------------------------------------------------------
Step1:
Include <% Option Explicit %> in all the pages, So that Hacker can not create variables without declaring
----------------------------------------------------------------------------------------------------------
Step2:
Client Side Java Script Validation is must, maxlength property should be placed in forms
Example:
function frmpostreq()
{
if(document.postreq.email.value=="")
{
alert("Please enter Email Address");
document.postreq.email.focus();
return false;
}
return true;
}
----------------------------------------------------------------------------------------------------------
Step3:
Server Side Validation is must,Check field length in asp pages
Example:
<%
''' Email '''
if trim(Request.Form("emaill")) = "" then
Response.Write("Enter Email !")
Response.End
end if
%>
<%
''' Email '''
if len(Request.Form("emaill")) >50 then
Response.Write("Email ID value can not be greater than 50 characters")
Response.End
end if
%>
----------------------------------------------------------------------------------------------------------
Step4:
Example:
form method="post" action="getval.asp" id="frm1" name="frm1"
Include the following Code in getval.asp page.
<%
if Request.ServerVariables("HTTP_REFERER") = "" or ISEmpty(Request.ServerVariables("HTTP_REFERER")) Then
Response.write "Please Go To www.sqlinjectiontruths.blogspot.in/"
Response.end
End if
if instr(1, Request.ServerVariables("HTTP_REFERER"), "sqlinjectiontruths.blogspot.in", 1) > 0 Then
Else
Response.write "Please Go To www.sqlinjectiontruths.blogspot.in/"
Response.end
End if
%>
----------------------------------------------------------------------------------------------------------
Step5:
Remember to kill the record set object, connection string object
set recordset=nothing
recordset.close
connectionstring.close
(or)
killobject(recordset)
killobject(connectionstring)
<%
function killobject(obj)
if isobject(obj) then
IF obj.state = 1 THEN obj.close
End if
Set obj = Nothing
end function
%>
----------------------------------------------------------------------------------------------------------
Step6:
Very Very Important Technique is Validate Numeric Query String Value with Cint (or) Isnumeric ASP Function
ID=CInt(trim(Request.QueryString("ID")))
or
ID=Isnumeric(trim(Request.QueryString("ID")))
----------------------------------------------------------------------------------------------------------
or
ID=Isnumeric(trim(Request.QueryString("ID")))
----------------------------------------------------------------------------------------------------------
Step7:
Very Very Important Technique is Validate String Value with Replace ASP Function
When Request.Form Value is String
email=trim(Replace(CStr(Request.Form("email")), "'", "''"))
When Query String Value is String
ID=trim(Replace(CStr(Request.QueryString("ID")), "'", "''"))
----------------------------------------------------------------------------------------------------------
Step8:
Include the following code in all ASP Pages(especially in querystring pages)
<%
Dim BlackList, ErrorPage, s, hackcode, matchstring
' "@",".inf",".html",".htm", ".pl", ".PL",".ini", "alter" can be included
BlackList = Array("+","ftp://", "INFORMATION_SCHEMA", "@@version","TABLE_NAME","replace(","replace%28",_
"sysobjects","syscolumns","syscomments","%20where%20","where+","dbo.",_
"TABLE_SCHEMA","ROUTINE_","READ_ONLY","charindex","OBJECT_","select * from",_
"nchar","varchar","nvarchar","char(","char%28","+char","%2Bchar","char+",_
"+set", "%2Bset","%20set","set+","fetch","kill",_
"cursor","declare ","declare+","declare%20","declare%2B","delete+","drop+",_
"drop view","drop view", "backup","update%20","update+","update ","update+",_
"DOCTYPE","<head", "meta","<title>","</title>","</head>", "<body>","%3Cscript","<script", "</script>",_
"</body>", "</html>","<form", "<div","</div>","<link","<a style","sp_",_
"primary key","foreign key","primary+key","foreign+key","foreign_key","primary_key",_
"where+","where%2Bjoin","where%20join","where ","inner join","inner+join","inner%2Bjoin","inner%20join",_
"exec+","exec%20","exec%2B","execute+","execute%20","execute%2B","exec ","execute ",_
"truncate+","truncate%20","truncate%2B","truncate ",_
"</table>","<tr","</tr>","<td","</td>","<table","%3Ctable","%3C%2Ftable",_
"create table","create%20table","create+table","create%2Btable","create view","create%20view","create+view","create%2Bview",_
"create trigger","create%20trigger","create+trigger","create%2Btrigger","create ","create%20","create+","create%2B",_
"insert into","insert%20into","insert+into","insert%2Binto",_
"cast+","%20cast%20","%3Dcast","=cast","cast(","cast%28",_
"alter+","alter%20","alter%28","alter%2B","alter ","alter(","alter table","alter%20table","alter view","alter view",_
".asp",".php",".jsp", ".LOG",".zip",".rar",".tar",".txt",".xml",".gzip","link=","url",_
"--",";","/*", "*/","@@","%40%40")
' Populate the error page you want to redirect to in case the
' check fails.
ErrorPage = "/ErrorPage.asp"
'Send mail to webmaster with Hack Code
Function SendEmail(hcode,matchstring)
'On Error Resume Next
hackcode = "Match String: " & matchstring & "<br />"
hackcode = hackcode & "HACK CODE: " & hcode & "<br />"
hackcode = hackcode & "URL: " & Request.ServerVariables("URL") & "<br />"
hackcode = hackcode & "IP ADDRESS: " & Request.ServerVariables("REMOTE_ADDR") & "<br />"
hackcode = hackcode & "You are browsing this site with: " & Request.ServerVariables("http_user_agent") & "<br />"
hackcode = hackcode & "The DNS lookup of the IP address: " & Request.ServerVariables("remote_host") & "<br />"
hackcode = hackcode & "HTTP HEADERS SENT BY CLIENT: " & Request.ServerVariables("ALL_HTTP") & "<br />"
hackcode = hackcode & "ALL_RAW: " & Request.ServerVariables("ALL_RAW") & "<br />"
dim oMail, oMailConfig
Set oMail = Server.CreateObject("CDO.Message")
Set oMailConfig = Server.CreateObject ("CDO.Configuration")
oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "localhost"
oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
oMailConfig.Fields.Update
Set oMail.Configuration = oMailConfig
oMail.From = "from email address"
oMail.To = "to email address"
oMail.Subject = "Tried for entering hacking code - sqlinjectiontruths.blogspot.in"
oMail.HTMLBody = hackcode
oMail.Send
set oMail=nothing
End Function
'End Send mail to webmaster with Hack Code
'''''''''''''''''''''''''''''''''''''''''''''''''''
' This function does not check for encoded characters
' since we do not know the form of encoding your application
' uses. Add the appropriate logic to deal with encoded characters
' in here
'''''''''''''''''''''''''''''''''''''''''''''''''''
Function CheckStringForSQL(str)
On Error Resume Next
Dim lstr
' If the string is empty, return true
If ( IsEmpty(str) ) Then
CheckStringForSQL = false
Exit Function
ElseIf ( StrComp(str, "") = 0 ) Then
CheckStringForSQL = false
Exit Function
End If
lstr = LCase(str)
' Check if the string contains any patterns in our
' black list
For Each s in BlackList
If ( InStr (lstr, s) <> 0 ) Then
CheckStringForSQL = true
Exit Function
End If
Next
CheckStringForSQL = false
End Function
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check forms data
'''''''''''''''''''''''''''''''''''''''''''''''''''
For Each s in Request.Form
If ( CheckStringForSQL(Request.Form(s)) ) Then
SendEmail Request.Form,s
' Redirect to an error page
Response.Redirect(ErrorPage)
End If
Next
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check query string
'''''''''''''''''''''''''''''''''''''''''''''''''''
For Each s in Request.QueryString
If ( CheckStringForSQL(Request.QueryString(s)) ) Then
SendEmail Request.QueryString,s
' Redirect to error page
Response.Redirect(ErrorPage)
End If
Next
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check cookies
'''''''''''''''''''''''''''''''''''''''''''''''''''
'For Each s in Request.Cookies
' If ( CheckStringForSQL(Request.Cookies(s)) ) Then
'
' GetSecureVal(Request.Cookies(s))
'
' ' SendEmail Request.Cookies,s
' ' Redirect to error page
' 'Response.Redirect(ErrorPage)
'
' End If
'
'Next
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check Secure Value
'''''''''''''''''''''''''''''''''''''''''''''''''''
Function GetSecureVal(param)
If IsEmpty(param) Or param = "" Then
GetSecureVal = param
Exit Function
End If
If IsNumeric(param) Then
GetSecureVal = trim(CLng(param))
Else
GetSecureVal = trim(Replace(CStr(param), "'", "''"))
End If
End Function
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Add additional checks for input that your application
' uses. (for example various request headers your app
' might use)
'''''''''''''''''''''''''''''''''''''''''''''''''''
%>
----------------------------------------------------------------------------------------------------------
Step9:
Instead of using "SA" as username for all the databases, Use different user names and different passwords for each databases
----------------------------------------------------------------------------------------------------------
Step10:
Use Stored Procedures, Instead of writing raw SQL queries on .asp pages
----------------------------------------------------------------------------------------------------------
Step11:
Keep your system up to date with the most recent cumulative update package for SQL Server Service Packs.
----------------------------------------------------------------------------------------------------------
Step12:
Use Captcha in all the forms in the website.(mandatory)
With Captcha, you can restrict SPAM Bots
Captca code in ASP -> http://sqlinjectiontruths.blogspot.in/2013/04/recaptcha-in-classic-asp.html
----------------------------------------------------------------------------------------------------------
Step13:
Decode Query String Values
Refer the URLS:
http://sqlinjectiontruths.blogspot.in/2013/03/asp-encode-decode-functions.html
http://www.aspnut.com/reference/encoding.asp
Instead of using "SA" as username for all the databases, Use different user names and different passwords for each databases
----------------------------------------------------------------------------------------------------------
Step10:
Use Stored Procedures, Instead of writing raw SQL queries on .asp pages
----------------------------------------------------------------------------------------------------------
Step11:
Keep your system up to date with the most recent cumulative update package for SQL Server Service Packs.
----------------------------------------------------------------------------------------------------------
Step12:
Use Captcha in all the forms in the website.(mandatory)
With Captcha, you can restrict SPAM Bots
Captca code in ASP -> http://sqlinjectiontruths.blogspot.in/2013/04/recaptcha-in-classic-asp.html
----------------------------------------------------------------------------------------------------------
Step13:
Decode Query String Values
Refer the URLS:
http://sqlinjectiontruths.blogspot.in/2013/03/asp-encode-decode-functions.html
http://www.aspnut.com/reference/encoding.asp
