Cross-site Scripting & Sql Injection
There are many ways to inject into asp.net code. Some of the commonly used techniques are:
- Sql Injection
- Cross site scripting
Lets discuss these techniques that how we may prevent from these attacks.
Sql Injection
Lets see an example for sql injection. Let’s say you input User’s NTN number to validate him/her in a text box. Let’s say user inputs the following text in the text box:
’ ; DROP DATABASE orders –
Now the code might have sql string like below:
SELECT lname, fname, address FROM TaxedUsers WHERE NTN = ‘XXXXXXXX’
With the input of above type, user will execute following sql:
SELECT lname, fname, address FROM TaxedUsers WHERE NTN = ”; DROP DATABASE orders –’
The above statement will be parsed in two steps, first will be terminated on semicolon and the next malicious code will get executed. This separater depends on the DBMS you are using. — tells the DBMS to ignore rest of the stuff in this case single quote.
Having said all the above, some steps need to be followed so that this might not occur with your code. First of all constraint user input. User server side validation using regular expression. For instance for above example, we may contrain the input to only alpha-numeric values. If input is coming from another source, use RegEx class to contrain your input programatically.
Secondly, use parameter collection with stored procedures. Only using stored procedures without parameter servers no purpose. It helps enforcing type checking and length validations as well. Parameter collection does not make your literal sql string an executable code rather it just serves as a literal. Another benefit is that parameter collection may be used in sql queries and stored procedures both. Now something about using parameters. If you use your parameter like this:
exec sp_yourstoredproc @var
Everything passed in is executed, then passing something like ‘drop database orders’ will drop this table as soon as this command is executed. Hence, use your parameters intelligently. Moreover, use escape sequence to validate input and use least priviliged account so that even with sql injection, database/table(s) cannot be dropped. Error information should be shown like no technical information is disclosed to the user that might be used by hacker.
Cross Site Scripting
Cross-site scripting attacks exploit vulnerabilities in web page validation by injecting client-side script code. One of the commonly used type is of a cross-site scripting attack when an attacker writes script to retrieve the authentication cookie that provides access to a trusted site and then posts the cookie to a web address known to the attacker. This enables the attacker to spoof the legitimate user’s identity and gain illicit access to the web site.
Two possible solutions are contraining input and encoding output. RegularExpressions are used to contrain input as discussed earlier as well. For encoding output HttpUtility.HtmlEncode can be used. It replaces characters having special meaning in HTML. Like < is replaced with ‘<’. When html is encoded, it cannot be executed rather it becomes harmless. Note the following in your application:
Verify <pages buffer=”true” validateRequest=”true” /> tag is there in machine.config, it enables validation in your aspx page.
Wherver html output is shown, make sure response is encoded so that it does not make your html vulnerable.
Some tags are malicious like <applet>, <body>, <embed>, <frame>, <script>, <frameset>, <html>, <iframe>, <img>, <style>, <layer>, <link>, <ilayer>, <meta> and <object>. For instance, <img> tag could be used like to execute vulnerable code like:
<img src=”javascript:alert(‘hello’);”>
Recent Discussions