Wrox Programmer Forums
|
ASP.NET 4 General Discussion For ASP.NET 4 discussions not relating to a specific Wrox book
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 4 General Discussion section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old February 11th, 2011, 06:39 AM
Authorized User
 
Join Date: Jan 2010
Posts: 31
Thanks: 5
Thanked 2 Times in 2 Posts
Default Hack attempt

I just recorded this hack attempt and I'm wondering if my code is secure. I'm also curious about what this qs injection is trying to do.

Code:
Error in page http://www.mydomain.org.uk/contactForm.aspx?officer=61'+or+1=@@version
The contact form does two things. It gets a querystring from another page, and populates a literal control to find in the recipients name. The visitor can then write a message. So the second thing it does is send the email using the same querystring value. So I'm wondering if I need do anything to secure the form further. (email addresses removed for obvious reasons). Is there any benefit to be gained by using "if len(request.querystring,3)" for example?

Code:
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
        If Page.IsValid Then

            '8 officers who can receive email so only allow integers 1-8)
            If Request.QueryString("officer") > 0 AndAlso Request.QueryString("officer") < 9 Then
                Dim officerid As Integer = CInt(Request.QueryString("officer"))

                Select Case officerid

                    Case 1
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 2
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 3
                        myMessage.To.Add(New MailAddress("***", "***"))

                    Case 4
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 5
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 6
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 7
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case 8
                        myMessage.To.Add(New MailAddress("***", "***"))
                    Case Else
                        myMessage.To.Add(New MailAddress("***", "Webmaster"))
                End Select

                Dim fileName As String = Server.MapPath("~/App_Data/ContactForm.txt")
                Dim mailBody As String = String.Empty

                mailBody = System.IO.File.ReadAllText(fileName)
                mailBody = mailBody.Replace("##Name##", Name.Text)
                mailBody = mailBody.Replace("##Email##", email.Text)
                mailBody = mailBody.Replace("##Phone##", phone.Text)
                mailBody = mailBody.Replace("##Subject##", Subject.Text)
                mailBody = mailBody.Replace("##Enquiry##", enquiry.Text)

                Dim myMessage As MailMessage = New MailMessage()
                myMessage.Subject = "Enquiry from the U3A web site"
                myMessage.Body = mailBody

                myMessage.From = New MailAddress(email.Text, Name.Text)


                myMessage.Bcc.Add(New MailAddress("***", "Pembs U3A admins"))


                

                Dim mySmtpClient As SmtpClient = New SmtpClient()
                Try

                    mySmtpClient.Send(myMessage)
                Catch ex As Exception
                    Literal2.Text = "An error occured trying to send your message"
                End Try

                Literal2.Visible = True
                formtable.Visible = False
            End If

        End If
      
    End Sub

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

        If Not Page.IsPostBack Then
            Literal1.Text = "Email "

            If Len(Request.QueryString("Officerid")) < 3 Then
                Dim officerid As Integer = CInt(Request.QueryString("officer"))
                Select Case officerid
                    Case 1
                        Literal1.Text &= "Nova"
                    Case 2
                        Literal1.Text &= "Rhoda"
                    Case 3
                        Literal1.Text &= "Pauline and Arthur"
                    Case 4
                        Literal1.Text &= "Terry"
                    Case 5
                        Literal1.Text &= "Graham"
                End Select
            End If

 
        Else
            Literal1.Text = "Your email has been sent"
        End If
    End Sub

Last edited by AdamPembs; February 11th, 2011 at 06:42 AM..
 
Old February 11th, 2011, 01:18 PM
Imar's Avatar
Wrox Author
 
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Hi Adam,

In this example, you're safe with the query string ID. Since you explicitly convert the Query String value to an Integer, your code will crash when you try to pass anything else. In other situations, you need to take more control over the input. For example, you directly insert the text from the form into an e-mail message. This could be abused to create malicious e-mail bodies with links which in turn can lead to problems if the recipients click them in their e-mail programs.

You may find this interesting: http://www.govcertuk.gov.uk/pdfs/sql_injection.pdf
http://stackoverflow.com/questions/2...hen-displaying
http://msdn.microsoft.com/en-us/library/ff647397.aspx
http://msdn.microsoft.com/en-us/libr...v=VS.100).aspx

There's a lot more on encoding user input and protecting yourself against SQL and cross site scripting attacks. The above links should be treated as a starting point only.

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
The Following User Says Thank You to Imar For This Useful Post:
AdamPembs (February 12th, 2011)
 
Old February 12th, 2011, 12:18 PM
Authorized User
 
Join Date: Jan 2010
Posts: 31
Thanks: 5
Thanked 2 Times in 2 Posts
Default

Thanks, those are great security resources





Similar Threads
Thread Thread Starter Forum Replies Last Post
Hack for IE7 Adam H-W CSS Cascading Style Sheets 4 January 23rd, 2007 10:02 AM
Explorer 7.0 Beta2 hack? claireos BOOK: Professional CSS: Cascading Style Sheets for Web Design 0 February 2nd, 2006 12:58 PM
IE Hack needed for form position DanDan CSS Cascading Style Sheets 0 January 22nd, 2005 06:35 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.