Saturday, August 23, 2008

SQL Injection and XSS in Classic ASP

SQL Injection and XSS(cross site scripting) is a big threat for classic asp sites in present days. Before coming ASP.Net in the market, ASP was the very popular scripting language. As a result, there are a good number of e-commerce and enterprise level project already exist using classic asp in the market. According to various source, from the very Beginning of this year, all the asp sites is the main target for SQL Injection and XSS by hackers. Since have some built-in mechanism to sanitize input like “ValidateRequest”,”EnableEventValidation”, etc so this is quite safe position regarding XSS. Let me explain very quickly about XSS and SQL Injection:

  • SQL Injection is a technique by which hackers can execute dangerous SQL commands by taking advantage of un-sanitized input opportunities in web application.
  • Cross-Site Scripting(XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. The script code embeds itself in response data, which is sent back to an unsuspecting user. The user's browser then runs the script code. The browser has no way of recognizing that the code is not legitimate, and Microsoft Internet Explorer security zones provide no defense. Cross-site scripting attacks also work over HTTP and HTTPS (SSL) connections.

Several communities have already started a few workarounds on these issues. HP Web Security Research Group published a tool named HP Scrawlr, to find out SQL Injection vulnerabilities in web-sites. Also, Microsoft recently released source code analyzer for SQL Injection. Let me show that how we can protect our valuable site from this threat:

1. A very fast and easy way is to make a central validation system which is very similar approach of built-in system. It will inspect all the input variables(form variable, query-string variable, cookie variable,etc) for the vulnerabilities automatically. It will protect the web site not only from SQL injection but also from XSS. Here is one of my research work, how to make such a system. In a really quick description, it will cover the following areas:

  • Sanitize all the input fields
  • How to make exception list to give the user flexibility
  • Default error page forwarding, if any problem found in input fields
  • Implement a automated reporting system while problem found with details information of inputs,IP,referrer page,etc
  • Implement a custom error page

2. Avoid disclosing database error information by using try…catch and custom error page.

3. Use escape character routines to handle special characters. For example replace the single quote(‘) by the following way:

Replace(Request.Form("txtUsername"), "'", "''")

so that any SQL injection code will be treat like a normal string and will be protect to execute.

4. Use Html encode and decode techniques to show html data. This technique will protect the site from XSS specially.

5. Use stored procedures rather than dynamic query where possible and parameterize query incase of dynamic query

6. Use a least privileged database account- only stored procedure will have the permission for update/insert and script will have only read permission

If all the above rules maintain in a site then no worry about SQL injection and XSS. But sometimes it is really very tough; like  to convert all the inline query to stored procedure. In that case, we have to implement as much as possible. The first technique will ensure that site secured from the threat and make a primary security layer. the second technique will make the site more stronger and make second security layer then the third and so on.


Enjoy Programming!

read more| digg story


r4 games said...

Thanx for the information. I was wondering about SQL injection. Your post solved my problem. Keep posting.

Ecommerce developer said...

Nice information about SQL injection, its a good resource for web developers. thanks for your wonderful sharing and i got good knowledge to read your blogs.