Hack attempt

AdamPembs · February 11th, 2011, 06:39 AM

I just recorded this hack attempt and I'm wondering if my code is secure. I'm also curious about what this qs injection is trying to do.

Code:

Error in page http://www.mydomain.org.uk/contactForm.aspx?officer=61'+or+1=@@version

The contact form does two things. It gets a querystring from another page, and populates a literal control to find in the recipients name. The visitor can then write a message. So the second thing it does is send the email using the same querystring value. So I'm wondering if I need do anything to secure the form further. (email addresses removed for obvious reasons). Is there any benefit to be gained by using "if len(request.querystring,3)" for example?

Code:

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        If Page.IsValid Then

            '8 officers who can receive email so only allow integers 1-8)
            If Request.QueryString("officer") > 0 AndAlso Request.QueryString("officer") < 9 Then
                Dim officerid As Integer = CInt(Request.QueryString("officer"))

                Select Case officerid

                    Case 1
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 2
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 3
                        myMessage.To.Add(New MailAddress("***", "***"))

                    Case 4
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 5
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 6
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 7
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 8
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case Else
                        myMessage.To.Add(New MailAddress("***", "Webmaster"))
                End Select

                Dim fileName As String = Server.MapPath("~/App_Data/ContactForm.txt")
                Dim mailBody As String = String.Empty

                mailBody = System.IO.File.ReadAllText(fileName)
                mailBody = mailBody.Replace("##Name##", Name.Text)
                mailBody = mailBody.Replace("##Email##", email.Text)
                mailBody = mailBody.Replace("##Phone##", phone.Text)
                mailBody = mailBody.Replace("##Subject##", Subject.Text)
                mailBody = mailBody.Replace("##Enquiry##", enquiry.Text)

                Dim myMessage As MailMessage = New MailMessage()
                myMessage.Subject = "Enquiry from the U3A web site"
                myMessage.Body = mailBody

                myMessage.From = New MailAddress(email.Text, Name.Text)


                myMessage.Bcc.Add(New MailAddress("***", "Pembs U3A admins"))


                

                Dim mySmtpClient As SmtpClient = New SmtpClient()
                Try

                    mySmtpClient.Send(myMessage)
                Catch ex As Exception
                    Literal2.Text = "An error occured trying to send your message"
                End Try

                Literal2.Visible = True
                formtable.Visible = False
            End If

        End If
      
    End Sub

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

        If Not Page.IsPostBack Then
            Literal1.Text = "Email "

            If Len(Request.QueryString("Officerid")) < 3 Then
                Dim officerid As Integer = CInt(Request.QueryString("officer"))
                Select Case officerid
                    Case 1
                        Literal1.Text &= "Nova"
                    Case 2
                        Literal1.Text &= "Rhoda"
                    Case 3
                        Literal1.Text &= "Pauline and Arthur"
                    Case 4
                        Literal1.Text &= "Terry"
                    Case 5
                        Literal1.Text &= "Graham"
                End Select
            End If

 
        Else
            Literal1.Text = "Your email has been sent"
        End If
    End Sub

Imar · February 11th, 2011, 01:18 PM

Hi Adam,

In this example, you're safe with the query string ID. Since you explicitly convert the Query String value to an Integer, your code will crash when you try to pass anything else. In other situations, you need to take more control over the input. For example, you directly insert the text from the form into an e-mail message. This could be abused to create malicious e-mail bodies with links which in turn can lead to problems if the recipients click them in their e-mail programs.

You may find this interesting: http://www.govcertuk.gov.uk/pdfs/sql_injection.pdf
http://stackoverflow.com/questions/2...hen-displaying
http://msdn.microsoft.com/en-us/library/ff647397.aspx
http://msdn.microsoft.com/en-us/libr...v=VS.100).aspx

There's a lot more on encoding user input and protecting yourself against SQL and cross site scripting attacks. The above links should be treated as a starting point only.

Cheers,

Imar

AdamPembs · February 12th, 2011, 12:18 PM

Thanks, those are great security resources