March 23, 2010 at 8:20 am
I'm putting together a prototype mobile web page in classic ASP. (Unfortunately, I don't control the web environment; otherwise, I'd be doing this in ASP.NET, not classic ASP.)
I have two ASP pages as follows:
Question: based on the above, how worried should I be about injection attacks?
+--------------------------------------------------------------------------------------+
Check out my blog at https://pianorayk.wordpress.com/
April 9, 2010 at 10:07 am
Ray K (3/23/2010)
I'm putting together a prototype mobile web page in classic ASP. (Unfortunately, I don't control the web environment; otherwise, I'd be doing this in ASP.NET, not classic ASP.)I have two ASP pages as follows:
- The first page is a form page that uses ONLY pull-down SELECT menus (no free-form text fields), and submits the selections using a POST (not GET) method. The resulting page creates a dynamic SQL based on the selections.
- The second page includes links that include the ID as an integer (example: somepage.asp?ID=42). I fully intend to check to make sure the ID is an integer (otherwise, it'll return "invalid entry" or something like that).
Question: based on the above, how worried should I be about injection attacks?
Thank you so much for your post.
_________________
April 11, 2010 at 5:20 pm
kelly7898 (4/9/2010)
Ray K (3/23/2010)
I'm putting together a prototype mobile web page in classic ASP. (Unfortunately, I don't control the web environment; otherwise, I'd be doing this in ASP.NET, not classic ASP.)I have two ASP pages as follows:
- The first page is a form page that uses ONLY pull-down SELECT menus (no free-form text fields), and submits the selections using a POST (not GET) method. The resulting page creates a dynamic SQL based on the selections.
- The second page includes links that include the ID as an integer (example: somepage.asp?ID=42). I fully intend to check to make sure the ID is an integer (otherwise, it'll return "invalid entry" or something like that).
Question: based on the above, how worried should I be about injection attacks?
Thank you so much for your post.
Is this just a spam attempt?
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
April 11, 2010 at 5:22 pm
Ray K (3/23/2010)
I'm putting together a prototype mobile web page in classic ASP. (Unfortunately, I don't control the web environment; otherwise, I'd be doing this in ASP.NET, not classic ASP.)I have two ASP pages as follows:
- The first page is a form page that uses ONLY pull-down SELECT menus (no free-form text fields), and submits the selections using a POST (not GET) method. The resulting page creates a dynamic SQL based on the selections.
- The second page includes links that include the ID as an integer (example: somepage.asp?ID=42). I fully intend to check to make sure the ID is an integer (otherwise, it'll return "invalid entry" or something like that).
Question: based on the above, how worried should I be about injection attacks?
Answer: You should probably be worried, though we would need to know some more details to be sure.
The most obvious gap that I can see here is that you cannot be sure that your users will actually be POSTing back valid responses to your text dropdown, and not use that instead as a means for Injection.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
April 11, 2010 at 6:59 pm
RBarryYoung (4/11/2010)
kelly7898 (4/9/2010)
Ray K (3/23/2010)
I'm putting together a prototype mobile web page in classic ASP. (Unfortunately, I don't control the web environment; otherwise, I'd be doing this in ASP.NET, not classic ASP.)I have two ASP pages as follows:
- The first page is a form page that uses ONLY pull-down SELECT menus (no free-form text fields), and submits the selections using a POST (not GET) method. The resulting page creates a dynamic SQL based on the selections.
- The second page includes links that include the ID as an integer (example: somepage.asp?ID=42). I fully intend to check to make sure the ID is an integer (otherwise, it'll return "invalid entry" or something like that).
Question: based on the above, how worried should I be about injection attacks?
Thank you so much for your post.
Is this just a spam attempt?
I assume so. I've already reported it.
+--------------------------------------------------------------------------------------+
Check out my blog at https://pianorayk.wordpress.com/
April 11, 2010 at 7:03 pm
RBarryYoung (4/11/2010)
Ray K (3/23/2010)
I'm putting together a prototype mobile web page in classic ASP. (Unfortunately, I don't control the web environment; otherwise, I'd be doing this in ASP.NET, not classic ASP.)I have two ASP pages as follows:
- The first page is a form page that uses ONLY pull-down SELECT menus (no free-form text fields), and submits the selections using a POST (not GET) method. The resulting page creates a dynamic SQL based on the selections.
- The second page includes links that include the ID as an integer (example: somepage.asp?ID=42). I fully intend to check to make sure the ID is an integer (otherwise, it'll return "invalid entry" or something like that).
Question: based on the above, how worried should I be about injection attacks?
Answer: You should probably be worried, though we would need to know some more details to be sure.
The most obvious gap that I can see here is that you cannot be sure that your users will actually be POSTing back valid responses to your text dropdown, and not use that instead as a means for Injection.
As it turned out, I had to change it from a POST to a GET. I was getting a message in iPhone browsers about having to repost data, and changing it to GET resolved the problem. (Since a large number of targeted devices are iPhones, this was a showstopper issue.)
After I posted this, I ended up installing checks in my ASP code that checks for valid entries so that the app ends up returning all data if an invalid parameter is passed. I've tested it out, and it seems to work.
Of course, having said that, I realize that nothing is foolproof.
+--------------------------------------------------------------------------------------+
Check out my blog at https://pianorayk.wordpress.com/
April 12, 2010 at 1:29 pm
There's no reason to use dynamic SQL, even with classic ASP. You can still insist that all interaction to the d.b. from the web uses stored procedures, which will go a big way toward reducing the chance of SQL injection.
Rich
April 12, 2010 at 2:30 pm
1. Fully parameterize all your SQL calls, whether they're stored procedures or not. This is your best protection.
2. Get Firefox 3.5 (perhaps on a VM), and install addons like HackBar, Tamper Data, and SQL Injection. Post vs Get is not protection, nor is sending drop-downs. The client can send back whatever it wants, regardless of what you ask it to do (for a more serious adversary, assume that the user sets up a proxy that allows them to alter return packets prior to passing them on to you, or assume they compiled their own browser code to allow them this capability).
3. Whitelist validate all input server-side; hidden fields and all. Absolutely everything coming from the internet is suspect.
4. If you're serious, research security extensively, and hire an expert or two, both for general security and for your industry in particular.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply